Global Blackhole Service

Florian Weimer fw at
Sat Feb 14 22:43:58 UTC 2009

* Steven M. Bellovin:

> As Randy and Valdis have pointed out, if this isn't done very carefully
> it's an open invitation to a new, very effective DoS technique.  You
> can't do this without authoritative knowledge of exactly who owns any
> prefix; you also have to be able to authenticate the request to
> blackhole it.  Those two points are *hard*.

If you want to run a public exchange point, you need to solve the same
announcement validation problem.  Multiple organizations appear to do
it successfully, so it can't be that difficult.

More information about the NANOG mailing list