nanog mailing list archives

RE: Global Blackhole Service

From: Skywing <Skywing () valhallalegends com>
Date: Fri, 13 Feb 2009 11:08:29 -0600

Of course, whomever hosts such a service becomes an attractive DoS target themselves if it were ever to gain real 
traction in the field.  There is also the "reverse-DoS" issue of an innocent party getting into the feed if anyone can 
peer with it.

- S

-----Original Message-----
From: Nuno Vieira - nfsi telecom <nuno.vieira () nfsi pt>
Sent: Friday, February 13, 2009 07:13
To: Jens Ott - PlusServer AG <j.ott () plusserver de>
Cc: nanog <nanog () nanog org>
Subject: Re: Global Blackhole Service

Hi Jens,

I think we are in the same boat.

We suffered the same problem often, on a lower magnitude, but if a project like this exists those DDoS could even be 
almost near zero.

This is somewhat similar to what Spamcop, and other folks do with SPAM today, but applied on a diferent scope, say, BGP 
Blackhole.

This service can span wide after just peers, opening the opportunity to edge-to-edge DDoS mitigation.

Say, a network in .pt or .de is beign attacked at large, and dst operators inject the dst attacked source on the 
blackhole bgp feed...   say that 100+ other ops around the world use a cenário like this... this might be very useful.
concers: the "autohority" or the "responsible" for maintaining this project, must assure that OP A or OP B can *only* 
annouce chunks that below to him, avoiding any case of hijack.

We would be interested in participating in something like this.

So,

My questions to all of you:

- - What do you think about such service?


It will be great. We are available to help.

- - Would you/your ASN participate in such a service?


Yes.

- - Do you see some kind of usefull feature in such a service?


Yes, a few thoughts above, some more might come up.

- - Do you have any comments?


For starters, a few above.

Regards,
---
Nuno Vieira
nfsi telecom, lda.

nuno.vieira () nfsi pt
Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
http://www.nfsi.pt/



----- "Jens Ott - PlusServer AG" <j.ott () plusserver de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

in the last 24 hours we received two denial of service attacks with
something
like 6-8GBit volume. It did not harm us too much, but e.g. one of our
upstreams got his Amsix-Port exploded.

With our upstreams we have remote-blackhole sessions running where we
announce
/32 prefixes to blackhole at their edge, but this does not work with
our
peers. Also our Decix-Port received something like 2Gbit extra-traffic
during
this DoS.

I can imagine, that for some peers, especially for the once having
only a thin
fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with
a DoS
and that they might be interested in dropping such traffic at their
edge.

Well I could discuss with my peers (at least the once who might get in
trouble
with such issue) to do some individual config for some
blackhole-announcement,
but most probably I'm not the only one receiving DoS and who would be
interested in such setup.

Therefore I had the following idea: Why not taking one of my old
routers and
set it up as blackhole-service. Then everyone who is interested could
set up a
session to there and

1.) announce /32 (/128) routes out of his prefixes to blackhole them
2.) receive all the /32 (/128) announcements from the other peers with
the IPs
they want to have blackholed and rollout the blackhole to their
network.

My questions to all of you:

- - What do you think about such service?
- - Would you/your ASN participate in such a service?
- - Do you see some kind of usefull feature in such a service?
- - Do you have any comments?

Thank you for telling me your opinions and best regards

- --
===================================================================

Jens Ott
Leiter Network Management

Tel: +49 22 33 - 612 - 3501
Fax: +49 22 33 - 612 - 53501

E-Mail: j.ott () plusserver de
GPG-Fingerprint: 808A EADF C476 FABE 2366  8402 31FD 328C C2CA 7D7A

PlusServer AG
Daimlerstraße 9-11
50354 Hürth

Germany

HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823
Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe
Aufsichtsratsvorsitz: Claudius Schmalschläger

===================================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmVilwACgkQMf0yjMLKfXpNuQCeKcicthIadISe7I+Xs5ZNHS+1
0qUAnRDkOY9/6kokq3Hf68BRQFfkP3xy
=jKUA
-----END PGP SIGNATURE-----

Current thread:

Re: Global Blackhole Service, (continued)
- - - Re: Global Blackhole Service Chris Jester (Feb 13)
    - Re: Global Blackhole Service Jack Bates (Feb 13)
    - Re: Global Blackhole Service Jens Ott - PlusServer AG (Feb 13)
    - Re: Global Blackhole Service Paul Vixie (Feb 14)
    - Re: Global Blackhole Service Jens Ott - PlusServer AG (Feb 15)
    - Re: Global Blackhole Service Randy Bush (Feb 15)
    - Re: Global Blackhole Service Christopher Morrow (Feb 13)
    - RE: Global Blackhole Service Jake Mertel (Feb 13)
    - Re: Global Blackhole Service Paul Vixie (Feb 14)
    - RE: Global Blackhole Service Barry Raveendran Greene (Feb 13)
- RE: Global Blackhole Service Skywing (Feb 13)
  - Re: Global Blackhole Service Jens Ott - PlusServer AG (Feb 13)