Of course, whomever hosts such a service becomes an attractive DoS target themselves if it were ever to gain real traction in the field. There is also the "reverse-DoS" issue of an innocent party getting into the feed if anyone can peer with it. - S -----Original Message----- From: Nuno Vieira - nfsi telecom <nuno.vieira@nfsi.pt> Sent: Friday, February 13, 2009 07:13 To: Jens Ott - PlusServer AG <j.ott@plusserver.de> Cc: nanog <nanog@nanog.org> Subject: Re: Global Blackhole Service Hi Jens, I think we are in the same boat. We suffered the same problem often, on a lower magnitude, but if a project like this exists those DDoS could even be almost near zero. This is somewhat similar to what Spamcop, and other folks do with SPAM today, but applied on a diferent scope, say, BGP Blackhole. This service can span wide after just peers, opening the opportunity to edge-to-edge DDoS mitigation. Say, a network in .pt or .de is beign attacked at large, and dst operators inject the dst attacked source on the blackhole bgp feed... say that 100+ other ops around the world use a cenário like this... this might be very useful. concers: the "autohority" or the "responsible" for maintaining this project, must assure that OP A or OP B can *only* annouce chunks that below to him, avoiding any case of hijack. We would be interested in participating in something like this. So,
My questions to all of you:
- - What do you think about such service?
It will be great. We are available to help.
- - Would you/your ASN participate in such a service?
Yes.
- - Do you see some kind of usefull feature in such a service?
Yes, a few thoughts above, some more might come up.
- - Do you have any comments?
For starters, a few above. Regards, --- Nuno Vieira nfsi telecom, lda. nuno.vieira@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ ----- "Jens Ott - PlusServer AG" <j.ott@plusserver.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
in the last 24 hours we received two denial of service attacks with something like 6-8GBit volume. It did not harm us too much, but e.g. one of our upstreams got his Amsix-Port exploded.
With our upstreams we have remote-blackhole sessions running where we announce /32 prefixes to blackhole at their edge, but this does not work with our peers. Also our Decix-Port received something like 2Gbit extra-traffic during this DoS.
I can imagine, that for some peers, especially for the once having only a thin fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with a DoS and that they might be interested in dropping such traffic at their edge.
Well I could discuss with my peers (at least the once who might get in trouble with such issue) to do some individual config for some blackhole-announcement, but most probably I'm not the only one receiving DoS and who would be interested in such setup.
Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and
1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network.
My questions to all of you:
- - What do you think about such service? - - Would you/your ASN participate in such a service? - - Do you see some kind of usefull feature in such a service? - - Do you have any comments?
Thank you for telling me your opinions and best regards
- -- ===================================================================
Jens Ott Leiter Network Management
Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501
E-Mail: j.ott@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A
PlusServer AG Daimlerstraße 9-11 50354 Hürth
Germany
HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger
===================================================================
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmVilwACgkQMf0yjMLKfXpNuQCeKcicthIadISe7I+Xs5ZNHS+1 0qUAnRDkOY9/6kokq3Hf68BRQFfkP3xy =jKUA -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Skywing schrieb:
Of course, whomever hosts such a service becomes an attractive DoS target themselves if it were ever to gain real traction in the field. There is also the "reverse-DoS" issue of an innocent party getting into the feed if anyone can peer with it.
You are right, and that's also what I am currently thinking about. Well, one solution might be, that all participants blackhole-routers IPs are also announced with some special community and all participants drop all traffic but bgp traffic from IPs listed with that community to the blackhole RR destination(s) everywhere in there network. BR Jens
- S
-----Original Message----- From: Nuno Vieira - nfsi telecom <nuno.vieira@nfsi.pt> Sent: Friday, February 13, 2009 07:13 To: Jens Ott - PlusServer AG <j.ott@plusserver.de> Cc: nanog <nanog@nanog.org> Subject: Re: Global Blackhole Service
Hi Jens,
I think we are in the same boat.
We suffered the same problem often, on a lower magnitude, but if a project like this exists those DDoS could even be almost near zero.
This is somewhat similar to what Spamcop, and other folks do with SPAM today, but applied on a diferent scope, say, BGP Blackhole.
This service can span wide after just peers, opening the opportunity to edge-to-edge DDoS mitigation.
Say, a network in .pt or .de is beign attacked at large, and dst operators inject the dst attacked source on the blackhole bgp feed... say that 100+ other ops around the world use a cenário like this... this might be very useful. concers: the "autohority" or the "responsible" for maintaining this project, must assure that OP A or OP B can *only* annouce chunks that below to him, avoiding any case of hijack.
We would be interested in participating in something like this.
So,
My questions to all of you:
- - What do you think about such service?
It will be great. We are available to help.
- - Would you/your ASN participate in such a service?
Yes.
- - Do you see some kind of usefull feature in such a service?
Yes, a few thoughts above, some more might come up.
- - Do you have any comments?
For starters, a few above.
Regards, --- Nuno Vieira nfsi telecom, lda.
nuno.vieira@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/
----- "Jens Ott - PlusServer AG" <j.ott@plusserver.de> wrote:
Hi,
in the last 24 hours we received two denial of service attacks with something like 6-8GBit volume. It did not harm us too much, but e.g. one of our upstreams got his Amsix-Port exploded.
With our upstreams we have remote-blackhole sessions running where we announce /32 prefixes to blackhole at their edge, but this does not work with our peers. Also our Decix-Port received something like 2Gbit extra-traffic during this DoS.
I can imagine, that for some peers, especially for the once having only a thin fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with a DoS and that they might be interested in dropping such traffic at their edge.
Well I could discuss with my peers (at least the once who might get in trouble with such issue) to do some individual config for some blackhole-announcement, but most probably I'm not the only one receiving DoS and who would be interested in such setup.
Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and
1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network.
My questions to all of you:
- What do you think about such service? - Would you/your ASN participate in such a service? - Do you see some kind of usefull feature in such a service? - Do you have any comments?
Thank you for telling me your opinions and best regards
- -- =================================================================== Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j.ott@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger =================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVqvwACgkQMf0yjMLKfXp1OgCfcvTgueonvW4z0dOash9KWUb0 pjMAniZprPAM14H477EHy4I0Ccd9nqy4 =EH0/ -----END PGP SIGNATURE-----
participants (2)
-
Jens Ott - PlusServer AG -
Skywing