Global Blackhole Service

Jake Mertel jake at
Fri Feb 13 20:12:55 UTC 2009

I think this solution addresses a number of issues that the current blackhole process lacks. Generally when a blackhole is sent to your provider, they in turn pass that on to the rest of their routers, dropping the traffic as soon as it hits their network. The traffic is still taking up just as much capacity up to that point. Were a system implemented as discussed, providers are able to prevent traffic that is known to be malicious from even exiting their network, which in the end works out better for everyone.


Jake Mertel
Nobis Technology Group, L.L.C.

Phone: (312) 281-5101 ext. 401
Fax: (808) 356-0417

Mail: 201 West Olive Street
Second Floor, Suite 2B
Bloomington, IL 61701

-----Original Message-----
From: Christopher Morrow [mailto:morrowc.lists at] 
Sent: Friday, February 13, 2009 1:59 PM
To: NANOG list
Subject: Re: Global Blackhole Service

On Fri, Feb 13, 2009 at 1:04 PM, Jack Bates <jbates at> wrote:
> Paul Vixie wrote:
>> blackholing victims is an interesting economics proposition.  you're
>> saying
>> the attacker must always win but that they must not be allowed to affect
>> the
>> infrastructure.  and you're saying victims will request this, since they
>> know
>> they can't withstand the attack and don't want to be held responsible for
>> damage to the infrastructure.
> Blackholing victims is what is current practice. For each stage of affected

it is A current practice.. so is filtering, so is scrubbing... there
is no one answer for this.

> infrastructure, the business/provider will make requests to their peers to
> blackhole the victim IP to protect the bandwidth caps or router throughput
> caps.

or cause no one really cares about: ... or other silly 95%-of
attacked, things.

>> where you lose me is where "the attacker must always win".
> Do you have a miraculous way to stop DDOS? Is there now a way to quickly and

There are purchasable answers to this problem... 3 (at least)
providers in the US (and at least one now offers it globally) offer
traffic scrubbing services. I know that one offers it at a very
reasonable price even...

> efficiently track down forged packets? Is there a remedy to shutting down

you can track streams of forged packets, but that's not super
important here. Forged packets actually make this part of the problem
(stopping the dos) easier, not harder.

> the *known* botnets, not to mention the unknown ones?

there are lots of folks tracking and shutting down botnets, it's not
horribly effective in stopping this sort of thing. I can vividly
recall tracking down 4 nights in a row the same 'botnet' (same
controller person, different C&C and mostly different bots) as they
were being used to attack a customer of mine at the time. This with
the cooperation of 2 other very large ISP's in the US and one vendor
security team even. In the end though a simple scrubbing solution was
deemed the simplest answer for all involved.

> The attacker will always win if he has a large enough attack

For extreme cases this is true, but there are quite a lot of things on
the spectrum which don't require super human efforts, and don't even
require intervention from the ISP if proper precautions are taken at
the outset.


More information about the NANOG mailing list