[111873] in North American Network Operators' Group
Re: Global Blackhole Service
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sat Feb 14 17:44:12 2009
From: Florian Weimer <fw@deneb.enyo.de>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Date: Sat, 14 Feb 2009 23:43:58 +0100
In-Reply-To: <20090213121553.1aea266c@cs.columbia.edu> (Steven M. Bellovin's
message of "Fri, 13 Feb 2009 12:15:53 -0500")
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
* Steven M. Bellovin:
> As Randy and Valdis have pointed out, if this isn't done very carefully
> it's an open invitation to a new, very effective DoS technique. You
> can't do this without authoritative knowledge of exactly who owns any
> prefix; you also have to be able to authenticate the request to
> blackhole it. Those two points are *hard*.
If you want to run a public exchange point, you need to solve the same
announcement validation problem. Multiple organizations appear to do
it successfully, so it can't be that difficult.
