North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackhole Routes

  • From: Ian Dickinson
  • Date: Sat Oct 02 18:07:49 2004

Richard A Steenbergen wrote:
I'd have to disagree with you. While you and many other networks may be able to handle most DoS attacks without involving your upstreams, there are still plenty (the majority I would say) of networks who can't. In fact, the entire CONCEPT of a blackhole customer community is to move the filtering up one level higher on the Internet, where it should theoretically be easier for the larger network to filter. It would be silly to assume that there is no attack which the person implementing the blackhole community can not handle, or to assume that there will never be tier 2/3 ISPs aggregating or reselling bandwidth.

Also, since the point of a blackhole community is to block all traffic to a destination prefix anyways, it doesn't matter whether the blackhole takes place 1 network upstream or 10. Any prefix which can be announced and routed on the global routing table should be able to be blackholed by every network on the global Internet, using a standard well-known community. This changes nothing of the current practices of accountability for your announcements, filtering by prefix length, etc. There would still remain a clear role for no-export and more specifics upto /32 between networks who have negotiated this relationship, but there absolutely no reason you couldn't and shouldn't have global blackholes available as well.
You'd need an additional community to flag this eg. 65001:666 means to
blackhole, 65001:6666 means to propagate it as well. I can't speak for
others but when we blackhole the destination (as opposed to blackholing the source or mitigating) we often only do it in the direction from
which the attack is coming*. Why drop globally when you can drop
traffic from a subset of the Internet? Your victim will thank you
if 90% of their customer base can reach them, versus none. Similarly,
if they're multi-homed, they may well rely on you NOT propagating.
Maybe this looks different from the perspective of a global Tier-1.

* We often find that even with the larger attacks, the vast majority of
the traffic comes in from a particular vector (or group of vectors).
Rarely does traffic enter via peerings equally.
Ian Dickinson
Development Engineer
[email protected]

This e-mail is subject to: