ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Last Call: <draft-ietf-grow-blackholing-00.txt> (BLACKHOLE BGP Community for Blackholing) to Proposed Standard

2016-06-21 19:24:44
from [Michel Py] [Permanent Link] 
Christopher Morrow wrote :
'Max prefix pressure' care to elaborate a bit more on this?


Let's look at a real-world example : Team Cymru's UTRS.
https://www.cymru.com/jtk/misc/utrs.html

A participant is only permitted to have up to 25 active route announcements
through UTRS at a time. Additional routes will be rejected.


I foresee that IXPs and other organizations who would adopt the BLACKHOLE 
community would put limits just the same as UTRS does. At 25 routes per 
participant, the mitigation of a DDOS potentially coming from thousands of IP 
addresses is limited. I totally understand the reasons to permit only 25 (or n) 
blackholes routes. 


'way too broad' how so?


Because it's "only" one global community.


There are many filter knobs to turn in BGP peering


That is the point : there are no knobs to turn with only one community; IMHO, 
it would be better to have ASN:666 (with ASN being the source AS for the 
blackhole prefix _or_ the AS of the IXP) and even better to standardize more 
granularity about the reason for being blackholed.
AS:666 : blackhole
AS:6601 : blackhole because of spam
AS:6602 : blackhole because of ssh brute-force attack
.....


ok, but not everyone has to peer with your server, and not everyone may agree 
that
they want to listen-to/use such a new community in the wider network, right?


Correct, but I realized recently that the only way to have some adoption was to 
provide more knobs. If you don't block enough prefixes, the blackhole mechanism 
is not efficient. If you block enough prefixes, people are scared of using it.

​

at least for me to understand how this is worse than what exists today...


Because some people out there are in the DDOSAAS business; with the 
standardization of the BLACKHOLE community, some script kiddo could write 
something that probes to see if it actually works; maybe I'm full of BAAS but 
there are is a lot of creativity being put into DDOS; if this was to become 
standard, it could become a new attack vector.

See it the same way as logging in as root : as soon as you have the telnet or 
ssh port open to the outside, you will have attempts to log in as root. The 
same reasoning applies to a global blackhole community : compromised systems 
would to inject a blackhole prefix to see if it works and report to their C&C.

Your idea is good, but it's too broad, too generic.

Michel.

http://arneill-py.sacramento.ca.us/cbbc/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: <draft-ietf-grow-blackholing-00.txt> (BLACKHOLE BGP Community for Blackholing) to Proposed Standard, Christopher Morrow
Next by Date:  Re: Last Call: <draft-ietf-grow-blackholing-00.txt> (BLACKHOLE BGP Community for Blackholing) to Proposed Standard, John Kristoff
Previous by Thread:  Re: Last Call: <draft-ietf-grow-blackholing-00.txt> (BLACKHOLE BGP Community for Blackholing) to Proposed Standard, Christopher Morrow
Next by Thread:  Re: Last Call: <draft-ietf-grow-blackholing-00.txt> (BLACKHOLE BGP Community for Blackholing) to Proposed Standard, Christopher Morrow
Indexes:  [Date] [Thread] [Top] [All Lists]