[102269] in North American Network Operators' Group
Re: Blackholes and IXs and Completing the Attack.
daemon@ATHENA.MIT.EDU (Rick Astley)
Sun Feb 3 02:02:41 2008
Date: Sun, 3 Feb 2008 01:56:08 -0500
From: "Rick Astley" <jnanog@gmail.com>
To: "Ben Butler" <ben.butler@c2internet.net>
Cc: nanog@merit.edu
In-Reply-To: <F9181128E9584B40B5A04C43800604B40F845B@anyanka.c2internet.net>
Errors-To: owner-nanog@merit.edu
------=_Part_695_22162798.1202021768296
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
I see your point, but I think maintaining the box for the control session
would also require a decent amount of work.
Presumably, since you must all adhere to some quasi-standard to communicate
with the control peer, you could probably also agree on creating a standard
BGP community (ie. 64666:666 & no-export) to use and just skip the middle
man.
Granted, I am kind of new as well, and I assume if the solution were that
simple more people would be using it.
On Feb 2, 2008 9:07 PM, Ben Butler <ben.butler@c2internet.net> wrote:
> Hi,
>
> Agreed, but when you have >100 peers that is still a fair bit of work. I
> know technically how to do it and am doing this with transits but then there
> are only seven of those. It is not a question of how or can, but should /
> is it valuable / constructive?
>
> The starting point in the thought process having just done it for transits
> was right ok, now how do we sensibly scale this to apply it at IXes without
> everyone having to run round contacting everyone else and to see if there
> was an easier way of doing things, hence the suggestion. Plus it keeps
> things nice a separated, your IX peering sessions announce just the main
> prefixes, the session to the "blackhole reflector" can be in a separate
> peer-group and you only send the /32s to the reflector. You don't have to
> worry about who uses which communities as each member that chooses to peer
> with the reflector is able to apply an inbound routemaps of their own
> choosing to any prefixes they receive from this reflector at each individual
> IX.
>
> Given that an ISP has elected to Complete the attack on a host that is
> being DoSed, for whatever reason, and they have chosen to send blackhole
> announcements to transit the logical extension seems to be to automate the
> sending of them to IXs to try to further cut down on traffic. This seems
> like a easy way, internally you just community tag on the trigger box for
> where you want the announcement to go, transit, internal, customers, IX
> all,1 2 not 3 - whatever - and BGP sends it out. Easy, and a single system
> to send out all updates when you choose to and easy to remove when you want
> to take it out again.
>
> If you subscribe to completing the attack as a strategy, then the
> suggestion seemed like an easy way of rolling it out to the next logical
> point after transit.
>
> Kind Regards
>
> Ben
>
>
------=_Part_695_22162798.1202021768296
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
I see your point, but I think maintaining the box for the control session would also require a decent amount of work.<br>Presumably,
since you must all adhere to some quasi-standard to communicate with
the control peer, you could probably also agree on creating a standard
BGP community (ie. 64666:666 & no-export) to use and just skip the
middle man.<br>
<br>Granted, I am kind of new as well, and I assume if the solution were that simple more people would be using it.<br><br><br><div class="gmail_quote">On Feb 2, 2008 9:07 PM, Ben Butler <<a href="mailto:ben.butler@c2internet.net">ben.butler@c2internet.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Hi,</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Agreed, but when you have >100 peers that is still a
fair bit of work. </font></span><span><font color="#0000ff" face="Arial" size="2">I know technically how to do it and am doing
this with transits but then there are only seven of those. It is not a
question of how or can, but should / is it valuable /
constructive?</font></span></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>The
starting point in the thought process having just done it for transits was right
ok, now how do we sensibly scale this to apply it at IXes without everyone
having to run round contacting everyone else and to see if there was an easier
way of doing things, hence the suggestion. Plus it keeps things nice a
separated, your IX peering sessions announce just the main prefixes, the session
to the "blackhole reflector" can be in a separate peer-group and you only send
the /32s to the reflector. You don't have to worry about who uses which
communities as each member that chooses to peer with the reflector is able to
apply an inbound routemaps of their own choosing to any prefixes they receive
from this reflector at each individual IX.</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>Given
that an ISP has elected to Complete the attack on a host that is being DoSed,
for whatever reason, and they have chosen to send blackhole announcements to
transit the logical extension seems to be to automate the sending of them to IXs
to try to further cut down on traffic. This seems like a easy way,
internally you just community tag on the trigger box for where you want the
announcement to go, transit, internal, customers, IX all,1 2 not 3 - whatever -
and BGP sends it out. Easy, and a single system to send out all updates when you
choose to and easy to remove when you want to take it out
again.</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>If you
subscribe to completing the attack as a strategy, then the suggestion seemed
like an easy way of rolling it out to the next logical point after
transit.</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>Kind
Regards</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>Ben</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"></font> <br></div></div></blockquote></div><br>
------=_Part_695_22162798.1202021768296--
