FYI - I think Paul knows exactly what you are talking about. Hint - review the seminar: http://www.nanog.org/meetings/nanog36/abstracts.php?pt=Mzk5Jm5hbm9nMzY=&nm=n anog36
-----Original Message----- From: Jack Bates [mailto:jbates@brightok.net] Sent: Friday, February 13, 2009 9:23 AM To: Paul Vixie Cc: nanog@merit.edu Subject: Re: Global Blackhole Service
Paul Vixie wrote:
i think Spamhaus and Cymru are way ahead of you in implementing such a thing, and it's likely that there are even commercial alternatives to Trend Micro although i have not kept up on those details.
I think there's a misunderstanding from what I've read about what is being blackholed. We are not talking about blackholing the senders, but a massive scale method of blackholing the victims at the victim's request to protect infrastructure. Currently this type of service usually doesn't extend beyond one or two ASs and depending on traffic flows can still cause damage, especially through exchange points.
With enough support and use, this would allow a larger portion of bad traffic to be null routed closer to the sender origination points. Since the null routing BGP servers would expect a larger routing table from these /32 networks, they would be placed at key points capable of handling the larger tables; compared to just allowing the /32's out into the wild and possibly exceeding route/memory constraints.
It can also be used as authoritative information that an IP is undergoing a DOS attack, and large volumes of connections to that IP should be considered suspect. I consider this a much more useful method of detecting DOS traffic leaving your infected users than the emails which are usually sent out by those being hit by DOS.
Jack