Global Blackhole Service

Paul Vixie vixie at
Sat Feb 14 22:07:11 UTC 2009

> > where you lose me is where "the attacker must always win".
> Do you have a miraculous way to stop DDOS? Is there now a way to quickly
> and efficiently track down forged packets? Is there a remedy to shutting
> down the *known* botnets, not to mention the unknown ones?

there are no silver bullets.  anyone who says otherwise is selling something.

> The attacker will always win if he has a large enough attack platform/...
> While all this is worked out, we have one solution we know works.

"we had to destroy the village in order to save it."

> If we null route the victim IP, the traffic stops at the null route.
> Since most attackers don't care to DOS the ISP, but just to take care of
> that end point, they usually don't start shifting targets to try and keep
> the ISP itself out.

if you null route the victim IP, the victim is off the air, so the DDoS is
a success even though it mostly does not reach its target.  you're proposing
that we lower an attacker's costs.  in a war of economics that's bad juju,
and all wars are about economics.

there are no silver bullets.  isp's who permit random source addresses on
packets leaving their networks are creating a global hazard, and since they
are defending their practices on the basis of thin profit margins it's right
to call this "the chemical polluter business model."  as long as the rest of
us continue to peer with these chemical polluters, then anyone on the
internet can be the victim of a devastating DDoS at any time and at low cost.

that's not a silver bullet however.  if most ISP's controlled their source
addresses there would still be DDoS's and then the new problem would be lack
of real-time cooperation along the lines of "hi i'm in the XYZ NOC and we're
tracking a DDoS against one of our customers and 14% of it is coming from
your address space, here's the summary of timestamp-ip-volume and here's a
pointer to your share of the netflows, can you remediate?"  the answer will
start out just like today's BCP38 answer, no we can't afford the staff or
technology to do that, and then lawyers would worry about liability, and we'd
all have to worry about monopolies, censorship, social engineering, and so on.

in all of these cases the problem is the margins themselves.  just as the full
cost of a fast food cheeseburger is probably about $20 if you count all the
costs that the corporations are shifting onto society, so it is that the full
cost of a 3MBit/sec DSL line is probably $300/month if you count all the costs
that ISPs shift onto digital society.  the usual argument goes (and i'm just
putting it out here to save time, though i'm betting several respondants will
not read closely and so will just spew this out as though it's their original
idea and as though i had not dismissed it many times over the decades): "we
cannot build a digital economy without cost shifting since noone would pay
what it really costs during the rampup".  i don't dignify that with a reply,
either here in effigy, or if anyone happens to trot it out again.

More information about the NANOG mailing list