[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Global Blackhole Service

Subject: Global Blackhole Service
From: jbates at brightok.net (Jack Bates)
Date: Fri, 13 Feb 2009 12:04:49 -0600
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

Paul Vixie wrote:
> blackholing victims is an interesting economics proposition.  you're saying
> the attacker must always win but that they must not be allowed to affect the
> infrastructure.  and you're saying victims will request this, since they know
> they can't withstand the attack and don't want to be held responsible for
> damage to the infrastructure.

Blackholing victims is what is current practice. For each stage of 
affected infrastructure, the business/provider will make requests to 
their peers to blackhole the victim IP to protect the bandwidth caps or 
router throughput caps.

Most providers, I imagine, don't ask the victim. The victim is 
unintentionally in violation of a TOS or AUP in many cases, but just as 
importantly, the provider can point out that the service to the customer 
was useless to begin with, and so the provider protected the rest of the 
customers who were not directly attacked.

Sometimes the attack is to something simple, like the IP of a modem bank 
or router just upstream of the intended victim. Such cases are 
no-brainers. We didn't need public access to that IP anyways. It'll 
break a few traceroutes, but otherwise, business goes on. In a few 
cases, it has been the end target IP of a customer which was dynamic in 
nature. The IP was blackholed for 3-5 days and the customer was 
transfered to a new IP and warned not to piss off the attacker.

> 
> where you lose me is where "the attacker must always win".

Do you have a miraculous way to stop DDOS? Is there now a way to quickly 
and efficiently track down forged packets? Is there a remedy to shutting 
down the *known* botnets, not to mention the unknown ones?

The attacker will always win if he has a large enough attack 
platform/botnet. Attacks aren't random in nature. Someone pissed someone 
else off that was, or knew someone who was, self proclaimed l33t. How 
many threads are in nanog archives on using prefix lists, uRPF, etc? 
Most of the problems that allow DDOS traffic are not technical problems, 
as much as they are economic and political problems.

While all this is worked out, we have one solution we know works. If we 
null route the victim IP, the traffic stops at the null route. Since 
most attackers don't care to DOS the ISP, but just to take care of that 
end point, they usually don't start shifting targets to try and keep the 
ISP itself out.

Jack

Follow-Ups:
- Global Blackhole Service
  - From: j.ott at plusserver.de (Jens Ott - PlusServer AG)
- Global Blackhole Service
  - From: morrowc.lists at gmail.com (Christopher Morrow)
- Global Blackhole Service
  - From: vixie at isc.org (Paul Vixie)

References:
- Global Blackhole Service
  - From: nuno.vieira at nfsi.pt (Nuno Vieira - nfsi telecom)
- Global Blackhole Service
  - From: vixie at isc.org (Paul Vixie)
- Global Blackhole Service
  - From: jbates at brightok.net (Jack Bates)
- Global Blackhole Service
  - From: vixie at isc.org (Paul Vixie)

Prev by Date: Global Blackhole Service
Next by Date: Weekly Routing Table Report
Previous by thread: Global Blackhole Service
Next by thread: Global Blackhole Service
Index(es):
- Date
- Thread