nanog mailing list archives

RE: Blackholes and IXs and Completing the Attack.

From: "Ben Butler" <ben.butler () c2internet net>
Date: Sat, 2 Feb 2008 22:40:56 -0000


 Hi,

"i explained why this is bad -- it lowers the attacker's costs in what
amounts to an economics war.  they can get a web site taken down by its
own provider just by attacking it.  they need fewer resources for their
attack once they know the provider's going to blackhole the victim."

I thought the cold war nuclear arms race had shown up to be truly MAD.
Who is paying for this ever escalating capacity of infrastructure as a
way to survive large DoS attacks.

Smaller attacks can be absorbed, but I really cant see a strategy of
endlessly upgrading network router and WAN infrastructure to ensure
enough head room ideal capacity is a particularly economically sensible
approach to the problem.

Ben

-----Original Message-----
From: vixie () vix com [mailto:vixie () vix com] On Behalf Of Paul Vixie
Sent: 02 February 2008 21:37
To: Ben Butler
Cc: nanog () merit edu
Subject: Re: Blackholes and IXs and Completing the Attack.

I was not proposing he Null routing of the attack source in the other 
ISPs network but the destination in my network being Null routed as a 
destination from your network out.


i explained why this is bad -- it lowers the attacker's costs in what
amounts to an economics war.  they can get a web site taken down by its
own provider just by attacking it.  they need fewer resources for their
attack once they know the provider's going to blackhole the victim.

This has no danger to the other network as it is my network that is 
going to be my IP space that is blackholed in your network, and the 
space blackholed is going to be an address that is being knocked of 
the air anyway under DoS and we are trying to minimise collateral

damage.

your collateral damage is of precious little interest to someone else's
backbone staff, unless they can route-filter the potential announcements
so that you are unable to also remotely blackhole addresses you don't
advertise.  i explained this as an insurance/ISO9000 problem.

I think you might have thought I was suggesting we blackhole sources 
in other peoples networks - this is definatly not what I was saying.


i explained why this would be a more sensible approach, but STILL
unworkable.

So, given we all now understand each other - why is no one doing the

above?

now that we've rehashed what we both said, i think we're done here.

Current thread:

RE: Blackholes and IXs and Completing the Attack., (continued)
- - - RE: Blackholes and IXs and Completing the Attack. Tomas L. Byrnes (Feb 03)
    - Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 03)
    - RE: Blackholes and IXs and Completing the Attack. Barry Greene (bgreene) (Feb 03)
    - RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
    - RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 03)
    - Re: Blackholes and IXs and Completing the Attack. Christopher Morrow (Feb 03)
    - Re: Blackholes and IXs and Completing the Attack. Matthew Moyle-Croft (Feb 03)
  - Re: Blackholes and IXs and Completing the Attack. Danny McPherson (Feb 02)
    - RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
  - Re: Blackholes and IXs and Completing the Attack. Paul Vixie (Feb 02)
    - RE: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- RE: Blackholes and IXs and Completing the Attack. Paul Ferguson (Feb 02)
  - Re: Blackholes and IXs and Completing the Attack. Roland Dobbins (Feb 02)
- FW: Blackholes and IXs and Completing the Attack. Ben Butler (Feb 02)
- Re: Blackholes and IXs and Completing the Attack. Paul Ferguson (Feb 02)