On Fri, 13 Feb 2009 16:41:41 +0000 (WET) Nuno Vieira - nfsi telecom <nuno.vie...@nfsi.pt> wrote:
> Ok, however, what i am talking about is a competelly diferent thing, > and i think that my thoughts are alligned with Jens. > > We want to have a Sink-BGP-BL, based on Destination. > > Imagine, i as an ISP, host a particular server that is getting nn > Gbps of DDoS attack. I null route it, and start advertising a /32 to > my upstream providers with a community attached, for them to null > route it at their network. However, the attacks continue going, on > and on, often flooding internet exchange connections and so. > > A solution like this, widelly used, would prevent packets to leave > their home network, mitigating with effective any kind of DDoS (or > packet flooding). > > Obviously, we need a few people to build this (A Website, an > organization), where when a new ISP connects is added to the system, > a prefix list should be implemented, preventing that ISP to announce > IP addresses that DON'T belong to him. > > The Sink-BGP-BL sends a full feed of what it gots to Member ISP's, > and those member ISP's, should apply route-maps or whatever they > want, but, in the end they want to discard the traffic to those > prefixes (ex: Null0 or /dev/null). > > This is a matter or getting enough people to kick this off, to build > a website, to establish one or two route-servers and to give use to. > > Once again, i am interested on this, if others are aswell, let know. > This should be a community-driven project. > In other words, a legitimate prefix hijacking service... As Randy and Valdis have pointed out, if this isn't done very carefully it's an open invitation to a new, very effective DoS technique. You can't do this without authoritative knowledge of exactly who owns any prefix; you also have to be able to authenticate the request to blackhole it. Those two points are *hard*. I also note that the scheme as described here is incompatible with more or less any possible secured BGP, since by definition it involves an AS that doesn't own a prefix advertising a route to it. --Steve Bellovin, http://www.cs.columbia.edu/~smb