At 09:58 PM 01-05-02 -0400, Wojtek Zlobicki wrote:
The ultimate goal of the DDOS attack is to take a specific user/site down. Blackholing is a way to help the attacker along. If the user is a small site, we say "screw it" and do the null0 in order to save the ISP backbone links. If the user is large (think eBay or any other major e-commerce site), you wouldn't easily blackhole them in order to save the rest of your network. You would try to find a better solution. Hank Consultant Riverhead Networks (formerly Wanwall Networks) www.riverhead.com > > Then you are pushing out /32's and peers would need to accept them. Then > > someone will want to blackhole /30's, /29's, etc. Route bloat. Yum! > >I am in no way proposing discounting current filtering rules. There are >alway two >different intersts one must consider, one that of the customer and two that >of the service provider. If a large block must be filtered so be it. > >Where are providers drawing the line ? Anyone have somewhat detailed >published policies as to what a provider can do in order to protect their >nework as a whole. >At what point (strength of the attack) does a customers netblock (assuming a >/24 for >example) get null routed by whichever party. > > > Anyways, some providers already allow you to set a community on a route, > > and they will inturn "blackhole" it for you. I believe Teleglobe does > > this for some customers and I know UUNet does this for all customers. > >When the attack is distributed, having one or two providers (even if they >are UUNET >or Teleglobe) is just not enough. Must private routing policy be developed >in order to make my suggestion work. The reason that so many methods likely >fail are the difficulty of implementation and low implementation.
