nanog mailing list archives

Re: Global Blackhole Service

From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 14 Feb 2009 23:43:58 +0100

* Steven M. Bellovin:

As Randy and Valdis have pointed out, if this isn't done very carefully
it's an open invitation to a new, very effective DoS technique.  You
can't do this without authoritative knowledge of exactly who owns any
prefix; you also have to be able to authenticate the request to
blackhole it.  Those two points are *hard*.


If you want to run a public exchange point, you need to solve the same
announcement validation problem.  Multiple organizations appear to do
it successfully, so it can't be that difficult.

Current thread:

Re: Global Blackhole Service, (continued)
- Re: Global Blackhole Service Randy Bush (Feb 13)
  - Re: Global Blackhole Service Nuno Vieira - nfsi telecom (Feb 13)
- Re: Global Blackhole Service Nuno Vieira - nfsi telecom (Feb 13)
- Re: Global Blackhole Service Valdis . Kletnieks (Feb 13)
  - Re: Global Blackhole Service Jack Bates (Feb 13)
    - Re: Global Blackhole Service Jens Ott - PlusServer AG (Feb 13)
  - Re: Global Blackhole Service Nuno Vieira - nfsi telecom (Feb 13)
    - Re: Global Blackhole Service Steven M. Bellovin (Feb 13)
    - Re: Global Blackhole Service Jens Ott - PlusServer AG (Feb 13)
    - Re: Global Blackhole Service Jack Bates (Feb 13)
    - Re: Global Blackhole Service Florian Weimer (Feb 14)
    - Re: Global Blackhole Service Patrick W. Gilmore (Feb 14)
    - Re: Global Blackhole Service Michael Thomas (Feb 15)
    - Re: Global Blackhole Service Marshall Eubanks (Feb 15)
    - cogent issues John Martinez (Feb 15)
    - Re: cogent issues Michal Krsek (Feb 16)
    - Re: cogent issues neal rauhauser (Feb 16)
    - Re: cogent issues Marshall Eubanks (Feb 16)
    - Re: cogent issues Ran Liebermann (Feb 16)
    - Re: Global Blackhole Service Matthew Moyle-Croft (Feb 14)
  - Re: Global Blackhole Service Florian Weimer (Feb 13)

(Thread continues...)