Roland, On Mon, Feb 6, 2012 at 2:43 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
S/RTBH can be rapidly shifted in order to deal with changing purported source IPs, and it isn't limited to /32s.
The big drawback with S/RTBH is that it is a DoS method in itself. Say eyeball provider X has implemented automated S/RTBH, and I have a grudge against them. I would simply DoS a couple of the subscribers with spoofed source IP addresses from google, youtube, netflow and hulu. The automated S/RTBH drops all packets coming from those IP addresses. Presto; many angry consumers call the ISP's helpdesk. The same goes for hosting networks, I just need to identify what kind of service my intended victim is dependent on. (i.e. paypal). Then DoS any part of the hosters network with spoofed source addresses of paypal, the automated S/RTBH makes sure the entire hosting network is not able to reach paypal anymore. Presto, mission achieved. Bas