|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Proposal for mitigating DoS attacks
On Sat, Jul 10, 1999 at 12:34:59PM -0500, Jon Green wrote: > If I were an ISP, I think I'd have issues with allowing third parties to > blackhole traffic in my own network. I don't think this does anything > to fix the political issues of inter-provider cooperation.. it just > provides an easier technical solution. I'm not sure the issue is with a third party being able to block traffic, but rather with who controls that ability. Blocking has been around in many forms, eg the RBL/MAPS, ORBS and other services. Technical differences of the problem aside, at least a subset of the Internet is willing to "give up control" to another organization in order to realize a greater benefit. Having said that, part of the reason these people succeed is that there is a single, well known point of control. If an address is on the RBL it is fairly easy to go to one point and look it up, and you know who to contact to get it removed. Back to Alex's proposal. The problem here is that if a route is blocked, the best method you have to track it back is the AS path. Now, while you may have good relationships with your peers and be able to get information out of them, you probably do not have good relationships with ISP's 4-5 AS's down in the food chain. It would not be obvious where to look, or who to call to answer the question "why is this network on the list?" It would also not be obvious who to call to get the "victim" network removed if it were placed there in error. In essence, this returns us to the situation we have today with poor communication. I have to wonder if a centralized database for this sort of thing could work. Like the RBL BGP feed, there would be a "Bad IP Things" feed (the BIT Bucket Feed? :-). It would come from a single ASN, and anyone who wants to participate would peer with that AS. In order to make it real time, member networks would go through some "approval" process that would allow them to add entries to this via a web or e-mail based system in "real time". Every entry would be logged with when it was entered, who entered it, and so forth in a single place that is easy to query. Having this centralized database might also lead to other interesting results, like scanning for patterns (repeat offenders, attacks from different IP's that always happen at the same time) that would help shut down the real offenders. It's an interesting idea, all in all. I give it a one in five chance of going somewhere, which by Internet standards is pretty good! :-) -- Leo Bicknell - [email protected] Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - [email protected], www.tmbg.org
|