Global Blackhole Service

Jack Bates jbates at
Fri Feb 13 18:04:49 UTC 2009

Paul Vixie wrote:
> blackholing victims is an interesting economics proposition.  you're saying
> the attacker must always win but that they must not be allowed to affect the
> infrastructure.  and you're saying victims will request this, since they know
> they can't withstand the attack and don't want to be held responsible for
> damage to the infrastructure.

Blackholing victims is what is current practice. For each stage of 
affected infrastructure, the business/provider will make requests to 
their peers to blackhole the victim IP to protect the bandwidth caps or 
router throughput caps.

Most providers, I imagine, don't ask the victim. The victim is 
unintentionally in violation of a TOS or AUP in many cases, but just as 
importantly, the provider can point out that the service to the customer 
was useless to begin with, and so the provider protected the rest of the 
customers who were not directly attacked.

Sometimes the attack is to something simple, like the IP of a modem bank 
or router just upstream of the intended victim. Such cases are 
no-brainers. We didn't need public access to that IP anyways. It'll 
break a few traceroutes, but otherwise, business goes on. In a few 
cases, it has been the end target IP of a customer which was dynamic in 
nature. The IP was blackholed for 3-5 days and the customer was 
transfered to a new IP and warned not to piss off the attacker.

> where you lose me is where "the attacker must always win".

Do you have a miraculous way to stop DDOS? Is there now a way to quickly 
and efficiently track down forged packets? Is there a remedy to shutting 
down the *known* botnets, not to mention the unknown ones?

The attacker will always win if he has a large enough attack 
platform/botnet. Attacks aren't random in nature. Someone pissed someone 
else off that was, or knew someone who was, self proclaimed l33t. How 
many threads are in nanog archives on using prefix lists, uRPF, etc? 
Most of the problems that allow DDOS traffic are not technical problems, 
as much as they are economic and political problems.

While all this is worked out, we have one solution we know works. If we 
null route the victim IP, the traffic stops at the null route. Since 
most attackers don't care to DOS the ISP, but just to take care of that 
end point, they usually don't start shifting targets to try and keep the 
ISP itself out.


More information about the NANOG mailing list