[102250] in North American Network Operators' Group
Re: Blackholes and IXs and Completing the Attack.
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sat Feb 2 16:39:25 2008
From: Paul Vixie <paul@vix.com>
To: "Ben Butler" <ben.butler@c2internet.net>
cc: nanog@merit.edu
In-Reply-To: Your message of "Sat, 02 Feb 2008 20:16:39 GMT."
<F9181128E9584B40B5A04C43800604B40F8457@anyanka.c2internet.net>
Date: Sat, 02 Feb 2008 21:37:01 +0000
Errors-To: owner-nanog@merit.edu
> I was not proposing he Null routing of the attack source in the other
> ISPs network but the destination in my network being Null routed as a
> destination from your network out.
i explained why this is bad -- it lowers the attacker's costs in what
amounts to an economics war. they can get a web site taken down by its
own provider just by attacking it. they need fewer resources for their
attack once they know the provider's going to blackhole the victim.
> This has no danger to the other network as it is my network that is
> going to be my IP space that is blackholed in your network, and the
> space blackholed is going to be an address that is being knocked of the
> air anyway under DoS and we are trying to minimise collateral damage.
your collateral damage is of precious little interest to someone else's
backbone staff, unless they can route-filter the potential announcements
so that you are unable to also remotely blackhole addresses you don't
advertise. i explained this as an insurance/ISO9000 problem.
> I think you might have thought I was suggesting we blackhole sources in
> other peoples networks - this is definatly not what I was saying.
i explained why this would be a more sensible approach, but STILL unworkable.
> So, given we all now understand each other - why is no one doing the above?
now that we've rehashed what we both said, i think we're done here.
