Richard A Steenbergen wrote:
I'd have to disagree with you. While you and many other networks may be able to handle most DoS attacks without involving your upstreams, there are still plenty (the majority I would say) of networks who can't. In fact, the entire CONCEPT of a blackhole customer community is to move the filtering up one level higher on the Internet, where it should theoretically be easier for the larger network to filter. It would be silly to assume that there is no attack which the person implementing the blackhole community can not handle, or to assume that there will never be tier 2/3 ISPs aggregating or reselling bandwidth.
Also, since the point of a blackhole community is to block all traffic to a destination prefix anyways, it doesn't matter whether the blackhole takes place 1 network upstream or 10. Any prefix which can be announced and routed on the global routing table should be able to be blackholed by every network on the global Internet, using a standard well-known community. This changes nothing of the current practices of accountability for your announcements, filtering by prefix length, etc. There would still remain a clear role for no-export and more specifics upto /32 between networks who have negotiated this relationship, but there absolutely no reason you couldn't and shouldn't have global blackholes available as well.
You'd need an additional community to flag this eg. 65001:666 means to blackhole, 65001:6666 means to propagate it as well. I can't speak for others but when we blackhole the destination (as opposed to blackholing the source or mitigating) we often only do it in the direction from which the attack is coming*. Why drop globally when you can drop traffic from a subset of the Internet? Your victim will thank you if 90% of their customer base can reach them, versus none. Similarly, if they're multi-homed, they may well rely on you NOT propagating. Maybe this looks different from the perspective of a global Tier-1. * We often find that even with the larger attacks, the vast majority of the traffic comes in from a particular vector (or group of vectors). Rarely does traffic enter via peerings equally. -- Ian Dickinson Development Engineer PIPEX ian.dickinson@pipex.net http://www.pipex.net This e-mail is subject to: http://www.pipex.net/disclaimer.html