[111822] in North American Network Operators' Group
Re: Global Blackhole Service
daemon@ATHENA.MIT.EDU (Florian Weimer)
Fri Feb 13 16:00:01 2009
From: Florian Weimer <fw@deneb.enyo.de>
To: Valdis.Kletnieks@vt.edu
Date: Fri, 13 Feb 2009 21:59:48 +0100
In-Reply-To: <10790.1234542537@turing-police.cc.vt.edu> (Valdis Kletnieks's
message of "Fri, 13 Feb 2009 11:28:57 -0500")
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
* Valdis Kletnieks:
> On Fri, 13 Feb 2009 15:57:32 +0100, Jens Ott - PlusServer AG said:
>> Therefore I had the following idea: Why not taking one of my old routers and
>> set it up as blackhole-service. Then everyone who is interested could set up a
>> session to there and
>>
>> 1.) announce /32 (/128) routes out of his prefixes to blackhole them
>> 2.) receive all the /32 (/128) announcements from the other peers with the IPs
>> they want to have blackholed and rollout the blackhole to their network.
>
> How do you vet proposed new entries to make sure that some miscreant doesn't
> DoS a legitimate site by claiming it is in need of black-holing?
The same way you prevent rogue announcements. 8-/
I guess an IX would be able to perform some validation of blacklisting
requests, or at least provide a contractual framework. I don't think
a global solution exists (beyond the "use my route server" approach,
which is quite global--until there are two of them).
