North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Blackholes and IXs and Completing the Attack.
Hi, "i explained why this is bad -- it lowers the attacker's costs in what amounts to an economics war. they can get a web site taken down by its own provider just by attacking it. they need fewer resources for their attack once they know the provider's going to blackhole the victim." I thought the cold war nuclear arms race had shown up to be truly MAD. Who is paying for this ever escalating capacity of infrastructure as a way to survive large DoS attacks. Smaller attacks can be absorbed, but I really cant see a strategy of endlessly upgrading network router and WAN infrastructure to ensure enough head room ideal capacity is a particularly economically sensible approach to the problem. Ben -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Paul Vixie Sent: 02 February 2008 21:37 To: Ben Butler Cc: [email protected] Subject: Re: Blackholes and IXs and Completing the Attack. > I was not proposing he Null routing of the attack source in the other > ISPs network but the destination in my network being Null routed as a > destination from your network out. i explained why this is bad -- it lowers the attacker's costs in what amounts to an economics war. they can get a web site taken down by its own provider just by attacking it. they need fewer resources for their attack once they know the provider's going to blackhole the victim. > This has no danger to the other network as it is my network that is > going to be my IP space that is blackholed in your network, and the > space blackholed is going to be an address that is being knocked of > the air anyway under DoS and we are trying to minimise collateral damage. your collateral damage is of precious little interest to someone else's backbone staff, unless they can route-filter the potential announcements so that you are unable to also remotely blackhole addresses you don't advertise. i explained this as an insurance/ISO9000 problem. > I think you might have thought I was suggesting we blackhole sources > in other peoples networks - this is definatly not what I was saying. i explained why this would be a more sensible approach, but STILL unworkable. > So, given we all now understand each other - why is no one doing the above? now that we've rehashed what we both said, i think we're done here.