I think this solution addresses a number of issues that the current blackhole process lacks. Generally when a blackhole is sent to your provider, they in turn pass that on to the rest of their routers, dropping the traffic as soon as it hits their network. The traffic is still taking up just as much capacity up to that point. Were a system implemented as discussed, providers are able to prevent traffic that is known to be malicious from even exiting their network, which in the end works out better for everyone. -- Regards, Jake Mertel Nobis Technology Group, L.L.C. Web: http://www.nobistech.net/ Phone: (312) 281-5101 ext. 401 Fax: (808) 356-0417 Mail: 201 West Olive Street Second Floor, Suite 2B Bloomington, IL 61701 -----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Friday, February 13, 2009 1:59 PM To: NANOG list Subject: Re: Global Blackhole Service On Fri, Feb 13, 2009 at 1:04 PM, Jack Bates <jbates@brightok.net> wrote:
Paul Vixie wrote:
blackholing victims is an interesting economics proposition. you're saying the attacker must always win but that they must not be allowed to affect the infrastructure. and you're saying victims will request this, since they know they can't withstand the attack and don't want to be held responsible for damage to the infrastructure.
Blackholing victims is what is current practice. For each stage of affected
it is A current practice.. so is filtering, so is scrubbing... there is no one answer for this.
infrastructure, the business/provider will make requests to their peers to blackhole the victim IP to protect the bandwidth caps or router throughput caps.
or cause no one really cares about: your.mama.wears.combat.boots.tobed.com ... or other silly 95%-of attacked, things.
where you lose me is where "the attacker must always win".
Do you have a miraculous way to stop DDOS? Is there now a way to quickly and
There are purchasable answers to this problem... 3 (at least) providers in the US (and at least one now offers it globally) offer traffic scrubbing services. I know that one offers it at a very reasonable price even...
efficiently track down forged packets? Is there a remedy to shutting down
you can track streams of forged packets, but that's not super important here. Forged packets actually make this part of the problem (stopping the dos) easier, not harder.
the *known* botnets, not to mention the unknown ones?
there are lots of folks tracking and shutting down botnets, it's not horribly effective in stopping this sort of thing. I can vividly recall tracking down 4 nights in a row the same 'botnet' (same controller person, different C&C and mostly different bots) as they were being used to attack a customer of mine at the time. This with the cooperation of 2 other very large ISP's in the US and one vendor security team even. In the end though a simple scrubbing solution was deemed the simplest answer for all involved.
The attacker will always win if he has a large enough attack
For extreme cases this is true, but there are quite a lot of things on the spectrum which don't require super human efforts, and don't even require intervention from the ISP if proper precautions are taken at the outset. -chris