North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Blackhole Routes
Richard A Steenbergen wrote: I'd have to disagree with you. While you and many other networks may be able to handle most DoS attacks without involving your upstreams, there are still plenty (the majority I would say) of networks who can't. In fact, the entire CONCEPT of a blackhole customer community is to move the filtering up one level higher on the Internet, where it should theoretically be easier for the larger network to filter. It would be silly to assume that there is no attack which the person implementing the blackhole community can not handle, or to assume that there will never be tier 2/3 ISPs aggregating or reselling bandwidth.You'd need an additional community to flag this eg. 65001:666 means to blackhole, 65001:6666 means to propagate it as well. I can't speak for others but when we blackhole the destination (as opposed to blackholing the source or mitigating) we often only do it in the direction from which the attack is coming*. Why drop globally when you can drop traffic from a subset of the Internet? Your victim will thank you if 90% of their customer base can reach them, versus none. Similarly, if they're multi-homed, they may well rely on you NOT propagating. Maybe this looks different from the perspective of a global Tier-1. * We often find that even with the larger attacks, the vast majority of the traffic comes in from a particular vector (or group of vectors). Rarely does traffic enter via peerings equally. -- Ian Dickinson Development Engineer PIPEX [email protected] http://www.pipex.net This e-mail is subject to: http://www.pipex.net/disclaimer.html
|