Global Blackhole Service
fw at deneb.enyo.de
Sat Feb 14 16:43:58 CST 2009
* Steven M. Bellovin:
> As Randy and Valdis have pointed out, if this isn't done very carefully
> it's an open invitation to a new, very effective DoS technique. You
> can't do this without authoritative knowledge of exactly who owns any
> prefix; you also have to be able to authenticate the request to
> blackhole it. Those two points are *hard*.
If you want to run a public exchange point, you need to solve the same
announcement validation problem. Multiple organizations appear to do
it successfully, so it can't be that difficult.
More information about the NANOG