Global Blackhole Service

Ricardo Oliveira rveloso at cs.ucla.edu
Fri Feb 13 19:39:05 CST 2009


Nuno et all,
Count me in for this..
Cheers,

--Ricardo
http://www.cs.ucla.edu/~rveloso

On Feb 13, 2009, at 8:41 AM, Nuno Vieira - nfsi telecom wrote:

> Ok, however, what i am talking about is a competelly diferent thing,  
> and i think that my thoughts are alligned with Jens.
>
> We want to have a Sink-BGP-BL, based on Destination.
>
> Imagine, i as an ISP, host a particular server that is getting nn  
> Gbps of DDoS attack.  I null route it, and start advertising a /32  
> to my upstream providers with a community attached, for them to null  
> route it at their network.
> However, the attacks continue going, on and on, often flooding  
> internet exchange connections and so.
>
> A solution like this, widelly used, would prevent packets to leave  
> their home network, mitigating with effective any kind of DDoS (or  
> packet flooding).
>
> Obviously, we need a few people to build this (A Website, an  
> organization), where when a new ISP connects is added to the system,  
> a prefix list should be implemented, preventing that ISP to announce  
> IP addresses that DON'T belong to him.
>
> The Sink-BGP-BL sends a full feed of what it gots to Member ISP's,  
> and those member ISP's, should apply route-maps or whatever they  
> want, but, in the end they want to discard the traffic to those  
> prefixes (ex: Null0 or /dev/null).
>
> This is a matter or getting enough people to kick this off, to build  
> a website, to establish one or two route-servers and to give use to.
>
> Once again, i am interested on this, if others are aswell, let  
> know.  This should be a community-driven project.
>
> regards,
> ---
> Nuno Vieira
> nfsi telecom, lda.
>
> nuno.vieira at nfsi.pt
> Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
> http://www.nfsi.pt/
>
>
>
> ----- "Valdis Kletnieks" <Valdis.Kletnieks at vt.edu> wrote:
>
>> How do you vet proposed new entries to make sure that some miscreant
>> doesn't
>> DoS a legitimate site by claiming it is in need of black-holing?   
>> Note
>> that
>> it's a different problem space than a bogon BGP feed or a spam-source
>> BGP
>> feed - if the Cymru guys take another 6 hours to do a proper  
>> paperwork
>> and
>> background check to verify a bogon, or if Paul and company take
>> another day
>> to verify something really *is* a cesspit of spam sources, it doesn't
>> break the
>> basic concept or usability of the feed.
>>
>> You usually don't *have* a similar luxury if you're trying to deal
>> with a
>> DDoS, because those are essentially a real-time issue.
>>
>> Oh, and cleaning up an entry in a timely fashion is also important,
>> otherwise
>> an attacker can launch a DDoS, get the target into the feed, and walk
>> away...





More information about the NANOG mailing list