North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Blackholes and IXs and Completing the Attack.
"Well then they wouldn't be peering with this route reflector " Well then, the utility is probably close to 0, isn't it? I doubt most of the sources of DDOS traffic, especially those without ingress source filtering, are going to peer with your route reflector. What's their economic incentive to expend the engineering time to do so? I sincerely doubt that any backbone provider will filter at a /32. That means they have to check EVERY PACKET AT FULL IP DEST against your AS advertised routes. Since most backbone routers build circuits at the /18 and above mask on MPLS, just to keep up with traffic, I sincerely doubt they are going to expend the CPU, and potentially RAM, never mind prefix table entries (you know, those things we're running out of) to have a full table of every host that every hoster says is being DDOSed. In this case, there's a clear economic cost, for no economic benefit (they do actually make money delivering that DDOS traffic). A better approach would be to move your DDOS target and all the rest of its co-subnet hosts into a different /24, update the DNS RRs, and cease advertising that /24. If you really want to be nice, they don't need to renumber, you just need to stop advertising the target subnet, change the DNS RR's and NAT at your borders, if you control DNS and IP. The added benefit of this is that you can swap them back when the DDOs is over, and they get to stay up while it's happening. All you need to do this is some spare, never to be allocated, IP space. Works with the existing infrastructure, doesn't require an "Internet God", and in general, is likely to be more effective in the real world. That whole "rough consensus and running code" ethos of the IETF thing, as opposed to the "Cathedral" mentality of the ITU (and ICANNt), which your approach would imply. You control which routes you advertise, after all. Plus, AT&T's legal beagles don't get to send you a dunning notice when their patent gets granted. > -----Original Message----- > From: Ben Butler [mailto:[email protected]] > Sent: Saturday, February 02, 2008 2:42 PM > To: Tomas L. Byrnes; [email protected] > Subject: RE: Blackholes and IXs and Completing the Attack. > > "If you're trying to do it on a /32 basis, I doubt you'd > find too many border router operators interested in accepting > a route that small, but I may be wrong." > > Well then they wouldn't be peering with this route reflector > in the first place. > > -----Original Message----- > From: Tomas L. Byrnes [mailto:[email protected]] > Sent: 02 February 2008 20:39 > To: Ben Butler; Paul Vixie; [email protected] > Subject: RE: Blackholes and IXs and Completing the Attack. > > You could achieve the exact same result simply by not > advertising the network to your peers, or by advertising a > bogus route (prefixing a known bogon AS for the addresses you > want null-routed). I realize you would have to > subnet/deaggregate your netblocks, and therefore could wind > up with a prefix-length issue for peers who won't accept > routes longer than a certain mask, in some cases, but if you > are already being DDOSed, this should represent SOME improvement. > > If you're trying to do it on a /32 basis, I doubt you'd find > too many border router operators interested in accepting a > route that small, but I may be wrong. > > The bigger issue with all these approaches is that they run > afoul of a patent applied for by AT&T: > > http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HI TOFF&p=1&u > =%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=P G01&s1=200 > 60031575&OS=20060031575&RS=20060031575 > > USPTO App Number 20060031575 > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > On Behalf > > Of Ben Butler > > Sent: Saturday, February 02, 2008 12:17 PM > > To: Paul Vixie; [email protected] > > Subject: RE: Blackholes and IXs and Completing the Attack. > > > > > > Hi, > > > > I was not proposing he Null routing of the attack source in > the other > > ISPs network but the destination in my network being Null > routed as a > > destination from your network out. > > > > This has no danger to the other network as it is my network that is > > going to be my IP space that is blackholed in your network, and the > > space blackholed is going to be an address that is being knocked of > > the air anyway under DoS and we are trying to minimise collateral > > damage. I cant see where the risk to the large NSP is - given that > > the route reflector will only reflect /32s that > legitimately originate > > > (as a destination not a source) in the AS announcing them as please > > blackhole. > > > > For complete clarity: AS13005 announces 220.127.116.11/19 > and has its > > route object in RIPE as being announced by AS13005. > > My router at IX - BENIX say - announces 18.104.22.168/32 to > the router > > > reflector their, the announcement from my IX assigned address > > 22.214.171.124 is known to be my router on the exchange, and I am > > announcing a /32 from my AS for a route object registered as being > > announced by my AS - so the reflector accepts my announcement and > > reflects it to any other members that choose to peer with this > > reflector - effectively this is a please blackhole this > destination in > > AS13005 - the other members that receive this announcement can then > > deal with it in anyway they see fit from ignoring it to setting > > next-hop 192.0.2.1 -> Null0. > > > > The effect of this would be that any BotNet controlled hosts in the > > other member network would now be able to drop any attack > traffic in > > their network on destination at their customer aggregation routers. > > > > I think you might have thought I was suggesting we > blackhole sources > > in other peoples networks - this is definatly not what I was saying. > > > > So, given we all now understand each other - why is no one > doing the > > above? > > > > At the end of the day if an IX member doesn't want the > announcements > > don't peer with the blackhole reflector, simple, and it > will get Null > > routed as soon as it hits my edge router at the IX - it would just > > seem more sensible to enable people to block the traffic before it > > traverses the IX and further back in their own networks. > > > > So????? > > > > Ben > > > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > On Behalf > > Of Paul Vixie > > Sent: 02 February 2008 17:32 > > To: [email protected] > > Subject: Re: Blackholes and IXs and Completing the Attack. > > > > > > [email protected] ("Ben Butler") writes: > > > > > ... > > > This hopefully will ensure a relatively protected router > > that is only > > > accessible from the edge routers we want and also secured to only > > > accept filtered announcements for black holing and in consequence > > > enable the system to be trusted similar to Team Cymaru. > > > ... > > > > This sounds like another attempt to separate the Internet's control > > plane from its data plane, and most such attempts do > succeed and are > > helpful (like NSP OOB, or like enterprise-level anycast of DNS). > > However, I'm not sure that remote triggered blackholes are a good > > direction, worthy of the protection you're proposing, for three > > reasons. > > > > First, because large NSP's simply cannot afford the risk associated > > with letting a third party, automatically and without controls or > > audits, decide in real time what sources or destinations > shall become > > unreachable. With all respect (which is a lot) for > spamhaus and cymru > > > and even MAPS (which I had a hand in, back in the day), feeding BGP > > null-routes to a multinational backbone is a privilege that ISO9000 > > and SarBox and liability insurance providers don't usually want to > > extend. > > > > Second, because many backbone routers in use today can't do policy > > routing routing (which is in this case dropping packets > because their > > source address, not their destination address, has a particular > > community associated with it) at line speed. Note, this is > > many-not-all > > -- I'm perfectly aware that lots of backbone routers can do > this but > > not everybody has them or can afford them and those who > have them tend > > > to be the multinational NSPs discussed earlier. > > To prevent our DDoS protection reflexes from lowering an attacker's > > cost (by automatically blackholing victims to protect the > nonvictims), > > > we have to be able to blackhole the abusive traffic by > source, not by > > destination. > > > > Third, because many OPNs (other people's networks) still > don't filter > > on source address on their customer-facing edge, and thus allow > > spoofed-source traffic to exit toward "the core" or toward > a victim's > > NSP who cannot filter by source due to path ambiguities inherent in > > "the core", any wide scale implementation of this, even if we could > > get trusted automation of it at scale and even if everybody had > > policy-routing-at-like-speed, would just push the attackers toward > > spoofed-source. That means a huge amount of work and money for the > > world, without changing the endgame for attackers and > victims at all. > > (See BCP38 and SAC004 for prior rants on this controversial topic.) > > >