nanog mailing list archives

Re: Blackhole Routes

From: "Wayne E. Bouchard" <web () typo org>
Date: Thu, 30 Sep 2004 11:43:42 -0700


On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:

It goes a little further than that these days. Folks are openly
allowing customers to advertize routes with something lika a 666
community which will then be blackholed within their network. So if
you're a service provider with your own blackhole system, you can
easily tie it into your upstream's system and dump the traffic many
hops away from you meaning that the traffic is getting dumped closer
to the source than the destination in a fair number of cases.


This is very dangerous however.....

If providers start tying their customer's blackhole announcements to the 
provider's upstreams' blackhole announcements in an AUTOMATIC process, 
bad things <tm> are likely to happen. What happens when a customer of a 
provider mistakenly advertises more routes than he should [lets say 
specifics in case #1] you can flood your upstreams' routers with 
specifics and potentially cause flapping or memory overflows...


Yes, well, in my case, I go through a dedicated server with multi-hop
sessions and set a prefix limit of 25 or so so I don't get bombarded
with 5 billion /32 routes and don't send those routes upstream. (I try
to play nice when possible.) I expect that the upstreams have various
defense mechanisms of their own to protect them against me
misconfiguring my boxes as well. (It only makes sense..)

In case #2, presumably the blackhole community takes precedence, so if a 
customer is mistakenly readvertising their multihome provider's table 
with a 666 tag, all of the upstream providers might be blackholing the 
majority of their non-customer routes.


If the customer does themselves in, thats not something I can really
protect against.

Non-automatic tying of customer blackholes to upstream or peer 
blackholes is a powerful tool to improve the stability of the net as a 
whole.


Yes, but far too slow when you're getting DOSd off the face of several
planets.

---
Wayne Bouchard
web () typo org
Network Dude
http://www.typo.org/~web/

Current thread:

Blackhole Routes Abhishek Verma (Sep 29)
- Re: Blackhole Routes Suresh Ramasubramanian (Sep 30)
- Re: Blackhole Routes Stephen J. Wilcox (Sep 30)
- Re: Blackhole Routes Michael . Dillon (Sep 30)
- Re: Blackhole Routes Robert A. Hayden (Sep 30)
  - Re: Blackhole Routes Erik Haagsman (Sep 30)
    - Re: Blackhole Routes Wayne E. Bouchard (Sep 30)
    - Re: Blackhole Routes Deepak Jain (Sep 30)
    - Re: Blackhole Routes Wayne E. Bouchard (Sep 30)
    - Re: Blackhole Routes Richard A Steenbergen (Sep 30)
    - Re: Blackhole Routes Mark Kasten (Sep 30)
    - Re: Blackhole Routes Richard A Steenbergen (Sep 30)
    - Re: Blackhole Routes Jeff Aitken (Sep 30)
    - Re: Blackhole Routes Christopher L. Morrow (Sep 30)
    - Re: Blackhole Routes Randy Bush (Sep 30)
    - Re: Blackhole Routes Christopher L. Morrow (Sep 30)
    - Re: Blackhole Routes Will Yardley (Sep 30)
    - Re: Blackhole Routes Stephen J. Wilcox (Sep 30)
    - Re: Blackhole Routes Richard A Steenbergen (Sep 30)

(Thread continues...)