At 09:58 PM 01-05-02 -0400, Wojtek Zlobicki wrote: The ultimate goal of the DDOS attack is to take a specific user/site down. Blackholing is a way to help the attacker along. If the user is a small site, we say "screw it" and do the null0 in order to save the ISP backbone links. If the user is large (think eBay or any other major e-commerce site), you wouldn't easily blackhole them in order to save the rest of your network. You would try to find a better solution. Hank Consultant Riverhead Networks (formerly Wanwall Networks) www.riverhead.com
Then you are pushing out /32's and peers would need to accept them. Then someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
I am in no way proposing discounting current filtering rules. There are alway two different intersts one must consider, one that of the customer and two that of the service provider. If a large block must be filtered so be it.
Where are providers drawing the line ? Anyone have somewhat detailed published policies as to what a provider can do in order to protect their nework as a whole. At what point (strength of the attack) does a customers netblock (assuming a /24 for example) get null routed by whichever party.
Anyways, some providers already allow you to set a community on a route, and they will inturn "blackhole" it for you. I believe Teleglobe does this for some customers and I know UUNet does this for all customers.
When the attack is distributed, having one or two providers (even if they are UUNET or Teleglobe) is just not enough. Must private routing policy be developed in order to make my suggestion work. The reason that so many methods likely fail are the difficulty of implementation and low implementation.