the thing is though, by allowing any /32's... what prevents /all/ customers from abusing it by curiosity of what would happen? :) the fact that you are allowing any /32's (up to 100 or whatever max prefix lim. you set) is like giving a can of worms to your customers. i don't think its even worth the effort to bother when you have more than couple customers abusing it security for one, SLA for the other, thirdly i just don't trust customers injecting routes into my backbone w/o telling us. i don't think bgp or a routing protocol is the right way to solve infected-machines participating in ddos nets. -J On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote:
Here is a solution I would like to propose -- it is not as set-and-forget as network operators like, but we do know that some of our customers have a lot of expertise with this stuff, and taking advantage of that value helps. This is along the categories of collateral damage, scorched earth and generally punitive action for DDOS-compromised hosts. Because not everyone will read every line, I am going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. This will be backfire if its used for Spam blackholes, it will really only have an affect in the narrower DDOS space.
Along with the idea of blackhole communities. I do NOT recommend it be turned on across-the-board for every customer, and once it has reached penetration, say 20-30% of the internet backbones use this feature -- it should be phased back and only be an ICB item. (called Planned Obl.)
Just like the blackhole community routes, certain /32's (only, nothing shorter) can be exported from the customer to the backbone to be blackholed at the edges. The twist, is that instead of limited the customer announcement to the customer's IPs, you force only /32s to be announced for the blackhole prefixes and limit the total number of prefixes. Say 100 (or 10, or 1000 depends how much trust you have)
So say, joe-customer has identified his top 50 DDOS sources, he announces them to you, voila, DDOS gone. (even for spoofed traffic, depending on how your filters are set up) Obviously these would be no-export routes so no peer need be worried.
The theory - It creates an actual, measured response to customer machines being vulnerable. It makes parts ( ideally large parts ) of the internet unavailable to those with vulnerable computers.
The bad side - People could black hole important sites, until the ALL-CAPS rule is applied.
The somewhat less bad, bad side - Most of these /32s wouldn't be removed until cable provider called the blackholing provider.
The reality is that these filters are probably created today by backbone security folks, so the question is how fast you want the injections/rejections.
IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM.
Comments?
Deepak
-- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net