North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackholes and IXs and Completing the Attack.

  • From: Christopher Morrow
  • Date: Sun Feb 03 15:58:01 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=cox4P9IOcd1vql8arKTz58+ORPGNrac2l5qrEmoO6rk=; b=mDZsXZD4dzCUXnBf0a/ZYiGgVQdZIuQ2Xn8X7TyMNhwgJVLt77GncquecDZO0WHx3McmUi0UEarMZOE7uY+/GsI2Curlwec3NqYClOmxYUQ5jn9azE5Un/F5wSMuCORSB74Wf/D5av3IFc4oWMvgrD7L7m+gnnsCFVTO/kOMw8U=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=rjauxSPiGQCTf61LTqzg9aKotEHdxBbICb7VHFslzXUKNcIUC624okNyPszpDqNax8AEMQU0vJUzJ/ja+i6TitonoQk2WBg1Sli+lKKBdk0PrcvzA3qMv2LBBfonEYwXoFndgbMCDQ2Yqb5OInfpw9ODNm7SplMTD9h9dJT9Qj8=

On Feb 3, 2008 2:53 PM, Tomas L. Byrnes <tomb@xxxxxxxxxxx> wrote:

> 3: Backbone routers can't reasonably filter on a bunch of /32s and also
> forward traffic at wire speed.

yes they can. the size of the individual route doesn't matter to the
devices in question, the NUMBER of routes does... (as does the
associated change-rate of that number, but that's a story for another
day)

>
> 4: It would be much harder to get all the ingress networks, which
> include all sorts of small local and regional ISPs, to join such a
> scheme than it would be to get larger ISPS to do so, assuming item 3
> above is not true.
>

some already do this though... not in quite the manner Ben's aiming to
do, but there are folks that accept BGP feeds in order to drop traffic
inside there network(s).

> 5: When one /32 is under DDOS, the rest of the hosts served by the same
> links are also effectively DOSed, ergo renumbering them out of the DOSed
> space, while painful, might be less painful than continuing to deal with
> the DOS.
>

you have not had to deal with renumbering I presume? not a raft of
end-users (consumers nevermind businesses). Why is the assumption that
the surrounding space is a /24 relevant exactly? The aggregation
scheme used inside any particular network isn't necessarily '/24 per
pop/link/service-area'...

renumbering for DDoS isn't really a workable solution, save the
distinct case when you own the IP in question and services it provides
(and other ancillary bits/bytes related to said ip/device/thingy).

> 8: Disaggregation can be done now, with the tools currently available,
> and requires no additional hardware, software, or legal agreements.
>

your point here is that perhaps instead of this scheme one would just
advertise the max-prefix-length (/24 currently) from a 'better' place
on your network and suck all the 'bad' traffic (all traffic in point
of fact) for the attacked destination via a transit/peer/place which
can deal with it properly?

This isn't a bad solution, and it gives you some control on the
traffic stream, it does have the penalty to everyone else of 'one more
route in the RIB/FIB'... which I think was Ben's vote against this
method. (also not a bad vote...)

anyway, the idea behind multi-as blackholing has been (and apparently
contunues to get) rehashed a few times over the last 5-8 years... good
luck!

-Chris