Global Blackhole Service
fw at deneb.enyo.de
Fri Feb 13 14:59:48 CST 2009
* Valdis Kletnieks:
> On Fri, 13 Feb 2009 15:57:32 +0100, Jens Ott - PlusServer AG said:
>> Therefore I had the following idea: Why not taking one of my old routers and
>> set it up as blackhole-service. Then everyone who is interested could set up a
>> session to there and
>> 1.) announce /32 (/128) routes out of his prefixes to blackhole them
>> 2.) receive all the /32 (/128) announcements from the other peers with the IPs
>> they want to have blackholed and rollout the blackhole to their network.
> How do you vet proposed new entries to make sure that some miscreant doesn't
> DoS a legitimate site by claiming it is in need of black-holing?
The same way you prevent rogue announcements. 8-/
I guess an IX would be able to perform some validation of blacklisting
requests, or at least provide a contractual framework. I don't think
a global solution exists (beyond the "use my route server" approach,
which is quite global--until there are two of them).
More information about the NANOG