Re: Global Blackhole Service

[Jens Ott - PlusServer AG <j.ott () plusserver de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven M. Bellovin schrieb:
> On Fri, 13 Feb 2009 16:41:41 +0000 (WET)
> Nuno Vieira - nfsi telecom <nuno.vieira () nfsi pt> wrote:
>
> > Ok, however, what i am talking about is a competelly diferent thing,
> > and i think that my thoughts are alligned with Jens.
> >
> > We want to have a Sink-BGP-BL, based on Destination.
> >
> > Imagine, i as an ISP, host a particular server that is getting nn
> > Gbps of DDoS attack.  I null route it, and start advertising a /32 to
> > my upstream providers with a community attached, for them to null
> > route it at their network. However, the attacks continue going, on
> > and on, often flooding internet exchange connections and so.
> >
> > A solution like this, widelly used, would prevent packets to leave
> > their home network, mitigating with effective any kind of DDoS (or
> > packet flooding).
> >
> > Obviously, we need a few people to build this (A Website, an
> > organization), where when a new ISP connects is added to the system,
> > a prefix list should be implemented, preventing that ISP to announce
> > IP addresses that DON'T belong to him.
> >
> > The Sink-BGP-BL sends a full feed of what it gots to Member ISP's,
> > and those member ISP's, should apply route-maps or whatever they
> > want, but, in the end they want to discard the traffic to those
> > prefixes (ex: Null0 or /dev/null).
> >
> > This is a matter or getting enough people to kick this off, to build
> > a website, to establish one or two route-servers and to give use to.
> >
> > Once again, i am interested on this, if others are aswell, let know.
> > This should be a community-driven project.
> In other words, a legitimate prefix hijacking service...
>
> As Randy and Valdis have pointed out, if this isn't done very carefully
> it's an open invitation to a new, very effective DoS technique.  You
> can't do this without authoritative knowledge of exactly who owns any
> prefix; you also have to be able to authenticate the request to
> blackhole it.  Those two points are *hard*.  

As described in my earlier mail, I'd suggest to run a prefix-list generator
updating informations from IRR on a regulary basis and, as soon as a new
"matching" route-object appears in IRR, an automated mail might be send to the
ASN-owner (address also taken from irr-records) with a confirmation-link.

That way you'd need to hijack IRR-database and/or tech-c/admin-c mailbox
before being able to have a prefix added to the list of prefixes accepted from
your peer.

> I also note that the
> scheme as described here is incompatible with more or less any possible
> secured BGP, since by definition it involves an AS that doesn't own a
> prefix advertising a route to it.

No, the router may work as Route-Reflector, so you see exactly the as-path as
is and the route-reflectors own asn isn't visible at all..

>               --Steve Bellovin, http://www.cs.columbia.edu/~smb


- --
===================================================================

Jens Ott
Leiter Network Management

Tel: +49 22 33 - 612 - 3501
Fax: +49 22 33 - 612 - 53501

E-Mail: j.ott () plusserver de
GPG-Fingerprint: 808A EADF C476 FABE 2366  8402 31FD 328C C2CA 7D7A

PlusServer AG
Daimlerstraße 9-11
50354 Hürth

Germany

HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823
Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe
Aufsichtsratsvorsitz: Claudius Schmalschläger

===================================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmVre4ACgkQMf0yjMLKfXp2oQCfS3/zTUAgjN0VegvctemS+NL6
+v0AnivXszJ0extA/mspFakX7MR3w+Y6
=gu7J
-----END PGP SIGNATURE-----