On Fri, 13 Feb 2009 15:57:32 +0100, Jens Ott - PlusServer AG said: > Therefore I had the following idea: Why not taking one of my old routers and > set it up as blackhole-service. Then everyone who is interested could set up a > session to there and > > 1.) announce /32 (/128) routes out of his prefixes to blackhole them > 2.) receive all the /32 (/128) announcements from the other peers with the IPs > they want to have blackholed and rollout the blackhole to their network.
How do you vet proposed new entries to make sure that some miscreant doesn't DoS a legitimate site by claiming it is in need of black-holing? Note that it's a different problem space than a bogon BGP feed or a spam-source BGP feed - if the Cymru guys take another 6 hours to do a proper paperwork and background check to verify a bogon, or if Paul and company take another day to verify something really *is* a cesspit of spam sources, it doesn't break the basic concept or usability of the feed. You usually don't *have* a similar luxury if you're trying to deal with a DDoS, because those are essentially a real-time issue. Oh, and cleaning up an entry in a timely fashion is also important, otherwise an attacker can launch a DDoS, get the target into the feed, and walk away...
pgpbpAddW2Wfu.pgp
Description: PGP signature
