On Jan 29, 2008 7:14 AM, Ben Butler <ben.butler@c2internet.net> wrote:
Or, to ask the question another way, would the low % of infrastructure backbone attacks increase if the infrastructure started blocking effectively attacks rather than completing them through null routing the target. If the commercial $ are being paid to the ISP to prevent DoS
So first off you might consider where the 'null route' is applied, in which cases it's used vs other sorts of techniques. There are many, many cases everyday of things that get null routed due to them being a destination of a DoS/DDoS attack. In those cases almost always it's a completely useless thing that the end user doesn't even care about, so just stopping the flood is more important than any other solution. The cases of larger/more-important things being attacked get handled in other, more complex, ways. (acls, mitigation platforms/scrubbers/etc)
surely the ISP then becomes an extortion target as well rather than just the end customer site.
no, not really, sometimes the upstream devices get packet-love, but that's not difficult to fix either... who needs their internal infrastructure reachable by the external world? See work on infrastructure acls by: james gill @vzb + darrel lewis @ cisco + paul quinn @ cisco + barry greene @ cisco +.... new book by Greg Schudel @ cisco -> <http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365> note that I haven't looked at the book but it seems to cover some of this.
In a way its a bit similar to a protection racket in that as long as the ISP completes attacks rather than blocks them it is in the attackers interests to leave the infrastructure alone to a large degree.
or it's in their interest because their monetary flow comes across those same pipes.... so turning off the intertubes is contrary to their goals. (see presentations by Team Cymru on this topic actually)
Black hole routing easy & effective, source identification / traffic scrubbing expensive.
The distinction between blackhole-routing and scrubbing that you draw is overly simplistic, if you are a UUNET/VerizonBusiness customer (or sprint or ATT though I can't easily find their links...) <http://www.verizonbusiness.com/products/security/managed/#services-dos> yours for the low-low price of 3250/month... which is well worth it if you have an ecommerce site that of any decent revenue draw... The folks at UUNET/VZB will even do things aside from NullRoute if you have issues and are their customer, all you have to do is call and ask them for assistance when problems arise, some of that is described at: <http://www.verizonbusiness.com/terms/us/products/internet/sla/> (I had to google search this, vz's website isn't so helpful on finding information....) -Chris