Global Blackhole Service

Jens Ott - PlusServer AG at
Fri Feb 13 18:44:34 UTC 2009

Hash: SHA1

Jack Bates schrieb:
> Paul Vixie wrote:
> Do you have a miraculous way to stop DDOS? Is there now a way to quickly
> and efficiently track down forged packets? Is there a remedy to shutting
> down the *known* botnets, not to mention the unknown ones?

This is another issue, and _all_ of us are in charge to keep their net clean
from outgoing DoS. Most outgoing DoS inside our network are mitigated - ok
most of the time the dos'ing server is being disconnected - in less than 10
minutes, as we do not only check what's coming in, but also check what our
customers are sending out. And as soon as someone forges IPs, he's
disconnected unless we know what was happening (mostly hacked servers) and the
issue was fixed. As it is the nature of DoS that there are lots of packets
send, they can easily be identified in (s|c|net)flows ... unfortunately there
are _lots_ of ISP not having automated mechanism for misuse-detection and
mitigation, or if they have some, they don't care about alarms.

Therefore I agree, the only practicable way to protect the majority of
customers is to blackhole the IP under attack.

Even if the DoS is not DDoS, but coming from one single source... 99,9% of any
emails to any NOC worldwide is not being answered in less than one hour
(especially in "out-shift-hours") and from the 0.1% left I bet 99,9% of the
DoS are also not stopped during this hour. And one hour of DoS may make some
small ISP loose more money then they earn per month!

> While all this is worked out, we have one solution we know works. If we
> null route the victim IP, the traffic stops at the null route. Since
> most attackers don't care to DOS the ISP, but just to take care of that
> end point, they usually don't start shifting targets to try and keep the
> ISP itself out.


> Jack

- --

Jens Ott
Leiter Network Management

Tel: +49 22 33 - 612 - 3501
Fax: +49 22 33 - 612 - 53501

E-Mail: at
GPG-Fingerprint: 808A EADF C476 FABE 2366  8402 31FD 328C C2CA 7D7A

PlusServer AG
Daimlerstraße 9-11
50354 Hürth


HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823
Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe
Aufsichtsratsvorsitz: Claudius Schmalschläger


Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the NANOG mailing list