nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Global Blackhole Service

From: Jack Bates <jbates () brightok net>
Date: Fri, 13 Feb 2009 10:41:12 -0600
Valdis.Kletnieks () vt edu wrote:

How do you vet proposed new entries to make sure that some miscreant doesn't
DoS a legitimate site by claiming it is in need of black-holing?  Note that
it's a different problem space than a bogon BGP feed or a spam-source BGP
feed - if the Cymru guys take another 6 hours to do a proper paperwork and
background check to verify a bogon, or if Paul and company take another day
to verify something really *is* a cesspit of spam sources, it doesn't break the
basic concept or usability of the feed.
Presumably, the route server would have to have the same guidelines as issued by service providers. ie, /32 networks injected should come from authenticated feeds and fall within the netblock range owned by the injector. So one extra set of ACL's for each injector to upkeep. I believe what is being suggested is just one step beyond what many providers give to BGP customers to extend blackholes out. 


Oh, and cleaning up an entry in a timely fashion is also important, otherwise
an attacker can launch a DDoS, get the target into the feed, and walk away...
This also would be decided by the injecting provider. More of a "Hey, one of my IPs is being DDOS'd, please drop traffic to it to protect the rest of my network." The downside to widespread use, is that it makes tracking the problem on the other side of the blocks near impossible. In all cases, once a blackhole is initiated anywhere, the DDOS has been successful. We use automatic community changes to accept /32 blackholes from customers, verify them, then send them on to peers that also support /32 blackholes with appropriate communities. 


Jack


Jack
Previous By Date Next
Previous By Thread Next

Current thread: