Global Blackhole Service
jbates at brightok.net
Fri Feb 13 12:04:49 CST 2009
Paul Vixie wrote:
> blackholing victims is an interesting economics proposition. you're saying
> the attacker must always win but that they must not be allowed to affect the
> infrastructure. and you're saying victims will request this, since they know
> they can't withstand the attack and don't want to be held responsible for
> damage to the infrastructure.
Blackholing victims is what is current practice. For each stage of
affected infrastructure, the business/provider will make requests to
their peers to blackhole the victim IP to protect the bandwidth caps or
router throughput caps.
Most providers, I imagine, don't ask the victim. The victim is
unintentionally in violation of a TOS or AUP in many cases, but just as
importantly, the provider can point out that the service to the customer
was useless to begin with, and so the provider protected the rest of the
customers who were not directly attacked.
Sometimes the attack is to something simple, like the IP of a modem bank
or router just upstream of the intended victim. Such cases are
no-brainers. We didn't need public access to that IP anyways. It'll
break a few traceroutes, but otherwise, business goes on. In a few
cases, it has been the end target IP of a customer which was dynamic in
nature. The IP was blackholed for 3-5 days and the customer was
transfered to a new IP and warned not to piss off the attacker.
> where you lose me is where "the attacker must always win".
Do you have a miraculous way to stop DDOS? Is there now a way to quickly
and efficiently track down forged packets? Is there a remedy to shutting
down the *known* botnets, not to mention the unknown ones?
The attacker will always win if he has a large enough attack
platform/botnet. Attacks aren't random in nature. Someone pissed someone
else off that was, or knew someone who was, self proclaimed l33t. How
many threads are in nanog archives on using prefix lists, uRPF, etc?
Most of the problems that allow DDOS traffic are not technical problems,
as much as they are economic and political problems.
While all this is worked out, we have one solution we know works. If we
null route the victim IP, the traffic stops at the null route. Since
most attackers don't care to DOS the ISP, but just to take care of that
end point, they usually don't start shifting targets to try and keep the
ISP itself out.
More information about the NANOG