Paul Vixie wrote:
blackholing victims is an interesting economics proposition. you're saying the attacker must always win but that they must not be allowed to affect the infrastructure. and you're saying victims will request this, since they know they can't withstand the attack and don't want to be held responsible for damage to the infrastructure.
Blackholing victims is what is current practice. For each stage of affected infrastructure, the business/provider will make requests to their peers to blackhole the victim IP to protect the bandwidth caps or router throughput caps. Most providers, I imagine, don't ask the victim. The victim is unintentionally in violation of a TOS or AUP in many cases, but just as importantly, the provider can point out that the service to the customer was useless to begin with, and so the provider protected the rest of the customers who were not directly attacked. Sometimes the attack is to something simple, like the IP of a modem bank or router just upstream of the intended victim. Such cases are no-brainers. We didn't need public access to that IP anyways. It'll break a few traceroutes, but otherwise, business goes on. In a few cases, it has been the end target IP of a customer which was dynamic in nature. The IP was blackholed for 3-5 days and the customer was transfered to a new IP and warned not to piss off the attacker.
where you lose me is where "the attacker must always win".
Do you have a miraculous way to stop DDOS? Is there now a way to quickly and efficiently track down forged packets? Is there a remedy to shutting down the *known* botnets, not to mention the unknown ones? The attacker will always win if he has a large enough attack platform/botnet. Attacks aren't random in nature. Someone pissed someone else off that was, or knew someone who was, self proclaimed l33t. How many threads are in nanog archives on using prefix lists, uRPF, etc? Most of the problems that allow DDOS traffic are not technical problems, as much as they are economic and political problems. While all this is worked out, we have one solution we know works. If we null route the victim IP, the traffic stops at the null route. Since most attackers don't care to DOS the ISP, but just to take care of that end point, they usually don't start shifting targets to try and keep the ISP itself out. Jack