Global Blackhole Service

Christopher Morrow morrowc.lists at gmail.com
Fri Feb 13 13:59:01 CST 2009


On Fri, Feb 13, 2009 at 1:04 PM, Jack Bates <jbates at brightok.net> wrote:
> Paul Vixie wrote:
>>
>> blackholing victims is an interesting economics proposition.  you're
>> saying
>> the attacker must always win but that they must not be allowed to affect
>> the
>> infrastructure.  and you're saying victims will request this, since they
>> know
>> they can't withstand the attack and don't want to be held responsible for
>> damage to the infrastructure.
>
> Blackholing victims is what is current practice. For each stage of affected

it is A current practice.. so is filtering, so is scrubbing... there
is no one answer for this.

> infrastructure, the business/provider will make requests to their peers to
> blackhole the victim IP to protect the bandwidth caps or router throughput
> caps.

or cause no one really cares about:
your.mama.wears.combat.boots.tobed.com ... or other silly 95%-of
attacked, things.

>
>>
>> where you lose me is where "the attacker must always win".
>
> Do you have a miraculous way to stop DDOS? Is there now a way to quickly and

There are purchasable answers to this problem... 3 (at least)
providers in the US (and at least one now offers it globally) offer
traffic scrubbing services. I know that one offers it at a very
reasonable price even...

> efficiently track down forged packets? Is there a remedy to shutting down

you can track streams of forged packets, but that's not super
important here. Forged packets actually make this part of the problem
(stopping the dos) easier, not harder.

> the *known* botnets, not to mention the unknown ones?
>

there are lots of folks tracking and shutting down botnets, it's not
horribly effective in stopping this sort of thing. I can vividly
recall tracking down 4 nights in a row the same 'botnet' (same
controller person, different C&C and mostly different bots) as they
were being used to attack a customer of mine at the time. This with
the cooperation of 2 other very large ISP's in the US and one vendor
security team even. In the end though a simple scrubbing solution was
deemed the simplest answer for all involved.

> The attacker will always win if he has a large enough attack

For extreme cases this is true, but there are quite a lot of things on
the spectrum which don't require super human efforts, and don't even
require intervention from the ISP if proper precautions are taken at
the outset.

-chris




More information about the NANOG mailing list