[74519] in North American Network Operators' Group
Re: Blackhole Routes
daemon@ATHENA.MIT.EDU (Wayne E. Bouchard)
Thu Sep 30 13:09:46 2004
Date: Thu, 30 Sep 2004 10:08:42 -0700
From: "Wayne E. Bouchard" <web@typo.org>
To: Erik Haagsman <erik@we-dare.net>
Cc: "Robert A. Hayden" <rhayden@geek.net>,
Abhishek Verma <abhishekv.verma@gmail.com>, nanog@merit.edu
In-Reply-To: <1096555254.4570.68.camel@thanos.we-dare.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Sep 30, 2004 at 04:40:54PM +0200, Erik Haagsman wrote:
>
> On Thu, 2004-09-30 at 15:45, Robert A. Hayden wrote:
> > There are mechanisms to do it using eBGP and communities as well which I'm
> > sure most on this list are more familiar with.
> >
> > Think of blackholing as a way to surgically remove a specific IP from your
> > network, without having to deal with pushing ACLs into multiple entry
> > points. At least that's what it accomplishes for us.
>
> And perhaps more importantly, when using eBGP blackholing communities,
> without DDoS traffic hitting your ingress bandwidth from your upstreams.
> ACL's can only filter traffic that's already at your edge, whereas
> blackholing allows your upstream to filter it for you throughout his
> network, reducing the risk of congested links.
It goes a little further than that these days. Folks are openly
allowing customers to advertize routes with something lika a 666
community which will then be blackholed within their network. So if
you're a service provider with your own blackhole system, you can
easily tie it into your upstream's system and dump the traffic many
hops away from you meaning that the traffic is getting dumped closer
to the source than the destination in a fair number of cases.
---
Wayne Bouchard
web@typo.org
Network Dude
http://www.typo.org/~web/
