North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackholes and IXs and Completing the Attack.

  • From: Rick Astley
  • Date: Sat Feb 02 20:19:08 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=HO8XTTrlla3R7rVs8fE0PpsSmdN/LxQMTQPVWAWJu90=; b=AOuovlmqQEXae5JtxQb9JcDaR8C/U1f4blqywUeTU2prMm3MmJsDyawiodjuT7sMbJ8JWJS24mdUQHHdGxXyy2rTZ30H0eTA98M93rFy8AtswG53iUQaAxZ1nfFD0l8Jmi2Oz0a2Bt/ZLOz5W9TMhlVPsaRHHwzdxSnNvkihur8=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=fCXMrVB8x902lSRTSUjhk+3W1CSOYN+fC/cJt//Apzl2KVNmFxy9kzNHM8rfe0MBmMN9Du6Ng570NB1RTxMmlxIWJBnrRG8iZtRveNzTLdrNH5Wgjjx/c3ppfleiafLtLysecB6L+JkReo2S/1CB+sZ8xTh8by8kVy7JtFBCo20=

While I am not sure I fully understand your suggestion, I don't think it would be that hard to set up manually.

Sure it would require asking the individual peers for their black hole communities, but of they don't have one they are unlikely to honor the infrastructure you describe anyway.

Assume your network is set up to discard packets marked with community 13005:666

Get a list of your peers blackhole communities, when you announce the route from a location on your network, tag it with community 13005:666 but also 1111:777,  2222:888 etc. for the individual peers from the source. This prevents you from having to update multiple policies in multiple locations for each attack.

As long as they accept the /32 announced to them with their black hole community, they should discard the traffic without sending it to you.

Not all peers will have a blackhole community, but you need some way to know when the attack is over to know when to withdraw the route, and they are useful for this.

If you are real lazy, on the router you announce the black hole from, add an export policy that says from community 13005:666, then community add 1111:777, 2222:888 etc.

This way you only need to:

1. Update one policy in one place when peers change
2. Announce the route from one location adding one community to it.