North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Blackhole Routes
- From: Ian Dickinson
- Date: Sat Oct 02 18:07:49 2004
Richard A Steenbergen wrote:
I'd have to disagree with you. While you and many other networks may be
able to handle most DoS attacks without involving your upstreams, there
are still plenty (the majority I would say) of networks who can't. In
fact, the entire CONCEPT of a blackhole customer community is to move the
filtering up one level higher on the Internet, where it should
theoretically be easier for the larger network to filter. It would be
silly to assume that there is no attack which the person implementing the
blackhole community can not handle, or to assume that there will never be
tier 2/3 ISPs aggregating or reselling bandwidth.
You'd need an additional community to flag this eg. 65001:666 means to
Also, since the point of a blackhole community is to block all traffic to
a destination prefix anyways, it doesn't matter whether the blackhole
takes place 1 network upstream or 10. Any prefix which can be announced
and routed on the global routing table should be able to be blackholed by
every network on the global Internet, using a standard well-known
community. This changes nothing of the current practices of accountability
for your announcements, filtering by prefix length, etc. There would still
remain a clear role for no-export and more specifics upto /32 between
networks who have negotiated this relationship, but there absolutely no
reason you couldn't and shouldn't have global blackholes available as
blackhole, 65001:6666 means to propagate it as well. I can't speak for
others but when we blackhole the destination (as opposed to blackholing
the source or mitigating) we often only do it in the direction from
which the attack is coming*. Why drop globally when you can drop
traffic from a subset of the Internet? Your victim will thank you
if 90% of their customer base can reach them, versus none. Similarly,
if they're multi-homed, they may well rely on you NOT propagating.
Maybe this looks different from the perspective of a global Tier-1.
* We often find that even with the larger attacks, the vast majority of
the traffic comes in from a particular vector (or group of vectors).
Rarely does traffic enter via peerings equally.
This e-mail is subject to: http://www.pipex.net/disclaimer.html