Re: anyone else seeing very long AS paths?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I just received reply from Sloan-Park, that they have shutdown that customer yesterday 6:40pm CET and the customer has been requested to clean-up his config. BR Jens Jason Kalai Arasu schrieb: > I encountered it yesterday from AS47868. > > -Original Message- > From: Paul Ferguson [mailto:fergdawgs...@gmail.com] > Sent: Tuesday, February 17, 2009 01:02 PM > To: nanog@nanog.org > Subject: Re: anyone else seeing very long AS paths? > > On Mon, Feb 16, 2009 at 8:51 PM, Michael Ulitskiy > wrote: > >> It hit my routers at 11:26:40, EST. > >> Michael > >> On Monday 16 February 2009 07:26:23 pm Adam Greene wrote: >>> Anyone have an estimate as to when these long announcements began? >>> Seems like the first reports appeared just before noon, UTC-05. >>> >>> We noticed a significant dip in Internet traffic to AS11579 for a few > >>> minutes last night (19:00 UTC-05) which we've been trying to hunt >>> down the cause of. At first glance, the two events seem unrelated. >>> Anyone else see anything similar? > > > Just as a follow-up -- and in case anyone hasn't read these yet: > > http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml > http://asert.arbornetworks.com/2009/02/ahh-the-ease-of-introducing-globa > l-r > outing-instability/ > > - ferg > - -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmafQAACgkQMf0yjMLKfXowUACgi4F/j+eGkFfL+2G01r/Ohb0Q XgIAoI4jH6WrkngSOUlDK5lBUZZ3wuEE =/66k -END PGP SIGNATURE-
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Paul Vixie schrieb: > a minor editorial comment: > > Jens Ott - PlusServer AG writes: > >> Jack Bates schrieb: >>> Paul Vixie wrote: >>> >>> Do you have a miraculous way to stop DDOS? Is there now a way to quickly >>> and efficiently track down forged packets? Is there a remedy to shutting >>> down the *known* botnets, not to mention the unknown ones? > > the quoted text was written by jack bates, not paul vixie. Sorry ... must have deleted a little to much from context Didn'r want to move someones word into the otherones mouth ... Have a nice sunday - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmXz+UACgkQMf0yjMLKfXqC+ACfbj1PcMQknt6R3G5or5iqHD5f 5awAniuOjy+Eoxq4TLd0x7ekQqaeIX9r =oNog -END PGP SIGNATURE-
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jack Bates schrieb: > Paul Vixie wrote: > > Do you have a miraculous way to stop DDOS? Is there now a way to quickly > and efficiently track down forged packets? Is there a remedy to shutting > down the *known* botnets, not to mention the unknown ones? This is another issue, and _all_ of us are in charge to keep their net clean from outgoing DoS. Most outgoing DoS inside our network are mitigated - ok most of the time the dos'ing server is being disconnected - in less than 10 minutes, as we do not only check what's coming in, but also check what our customers are sending out. And as soon as someone forges IPs, he's disconnected unless we know what was happening (mostly hacked servers) and the issue was fixed. As it is the nature of DoS that there are lots of packets send, they can easily be identified in (s|c|net)flows ... unfortunately there are _lots_ of ISP not having automated mechanism for misuse-detection and mitigation, or if they have some, they don't care about alarms. Therefore I agree, the only practicable way to protect the majority of customers is to blackhole the IP under attack. Even if the DoS is not DDoS, but coming from one single source... 99,9% of any emails to any NOC worldwide is not being answered in less than one hour (especially in "out-shift-hours") and from the 0.1% left I bet 99,9% of the DoS are also not stopped during this hour. And one hour of DoS may make some small ISP loose more money then they earn per month! > > > While all this is worked out, we have one solution we know works. If we > null route the victim IP, the traffic stops at the null route. Since > most attackers don't care to DOS the ISP, but just to take care of that > end point, they usually don't start shifting targets to try and keep the > ISP itself out. ACK! > > Jack > - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVv5EACgkQMf0yjMLKfXptpQCeNNgDOxXWoTBHA5W5yCwifcG2 IasAnAh06DE3qry/puXzBs05pBfIMSS/ =boMf -END PGP SIGNATURE-
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steven M. Bellovin schrieb: > On Fri, 13 Feb 2009 16:41:41 + (WET) > Nuno Vieira - nfsi telecom wrote: > >> Ok, however, what i am talking about is a competelly diferent thing, >> and i think that my thoughts are alligned with Jens. >> >> We want to have a Sink-BGP-BL, based on Destination. >> >> Imagine, i as an ISP, host a particular server that is getting nn >> Gbps of DDoS attack. I null route it, and start advertising a /32 to >> my upstream providers with a community attached, for them to null >> route it at their network. However, the attacks continue going, on >> and on, often flooding internet exchange connections and so. >> >> A solution like this, widelly used, would prevent packets to leave >> their home network, mitigating with effective any kind of DDoS (or >> packet flooding). >> >> Obviously, we need a few people to build this (A Website, an >> organization), where when a new ISP connects is added to the system, >> a prefix list should be implemented, preventing that ISP to announce >> IP addresses that DON'T belong to him. >> >> The Sink-BGP-BL sends a full feed of what it gots to Member ISP's, >> and those member ISP's, should apply route-maps or whatever they >> want, but, in the end they want to discard the traffic to those >> prefixes (ex: Null0 or /dev/null). >> >> This is a matter or getting enough people to kick this off, to build >> a website, to establish one or two route-servers and to give use to. >> >> Once again, i am interested on this, if others are aswell, let know. >> This should be a community-driven project. >> > In other words, a legitimate prefix hijacking service... > > As Randy and Valdis have pointed out, if this isn't done very carefully > it's an open invitation to a new, very effective DoS technique. You > can't do this without authoritative knowledge of exactly who owns any > prefix; you also have to be able to authenticate the request to > blackhole it. Those two points are *hard*. As described in my earlier mail, I'd suggest to run a prefix-list generator updating informations from IRR on a regulary basis and, as soon as a new "matching" route-object appears in IRR, an automated mail might be send to the ASN-owner (address also taken from irr-records) with a confirmation-link. That way you'd need to hijack IRR-database and/or tech-c/admin-c mailbox before being able to have a prefix added to the list of prefixes accepted from your peer. > I also note that the > scheme as described here is incompatible with more or less any possible > secured BGP, since by definition it involves an AS that doesn't own a > prefix advertising a route to it. No, the router may work as Route-Reflector, so you see exactly the as-path as is and the route-reflectors own asn isn't visible at all.. > > > --Steve Bellovin, http://www.cs.columbia.edu/~smb > - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVre4ACgkQMf0yjMLKfXp2oQCfS3/zTUAgjN0VegvctemS+NL6 +v0AnivXszJ0extA/mspFakX7MR3w+Y6 =gu7J -END PGP SIGNATURE-
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 @jack: sorry for duplicate ... pressed reply instead of reply-all ;) Jack Bates schrieb: > valdis.kletni...@vt.edu wrote: > Presumably, the route server would have to have the same guidelines as > issued by service providers. ie, /32 networks injected should come from > authenticated feeds and fall within the netblock range owned by the > injector. So one extra set of ACL's for each injector to upkeep. I > believe what is being suggested is just one step beyond what many > providers give to BGP customers to extend blackholes out. Exactly that's the way I intended. I know that it's a not to small thing to maintain such a system, we are running it successfully for years with both, downstream-bgp-customers and upstreams. Even with quiet a small number of downstreams there are several changes each month (new IP-Space, drop-off of PI moved away from the customer ...), but I think it would be a manageable thing to keep it up2date when preparing some automatism. E.g. a automated prefix-list-generator requesting the authorization (e.g. automated mail with link including authorization-hash) for blackholing at the AS-Owner before accepting prefixes ... > >> Oh, and cleaning up an entry in a timely fashion is also important, >> otherwise >> an attacker can launch a DDoS, get the target into the feed, and walk >> away... > > This also would be decided by the injecting provider. More of a "Hey, > one of my IPs is being DDOS'd, please drop traffic to it to protect the > rest of my network." The downside to widespread use, is that it makes > tracking the problem on the other side of the blocks near impossible. In > all cases, once a blackhole is initiated anywhere, the DDOS has been > successful. Well, for that single IP the DDoS was sucessfull, but looking at the issue I had yesterday, it's to protect other customers also getting into trouble due to this DoS. The complete rack had 1GBit-Uplink, which is normally absolutely sufficient for 20 servers. Well one single server was under attack, but 19 other "innocent" customers were not reachable. And, the even bigger problem was, the AMSIX-Port of one of my upstreams was "filled to death" due to this DoS and therefore several thousand customers had enormous packetloss due to one single destination-ip. Therefore it's to decide what to prefer, one single customer dead or thousands of angry customers. And I know that I prefer to protect my own backbone under these circumstances. > We use automatic community changes to accept /32 blackholes > from customers, verify them, then send them on to peers that also > support /32 blackholes with appropriate communities. That's what we currently also do and until now we never had any problem with this. BR Jens > > > Jack > > > Jack > - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVq0gACgkQMf0yjMLKfXqq+QCfW7FzEeXE8MsN3DJQcn8B/ezE EIwAoJttNgusWNFu+ebOswIBw0g6734w =5x5v -END PGP SIGNATURE-
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Skywing schrieb: > Of course, whomever hosts such a service becomes an attractive DoS target > themselves if it were ever to gain real traction in the field. There is also > the "reverse-DoS" issue of an innocent party getting into the feed if anyone > can peer with it. You are right, and that's also what I am currently thinking about. Well, one solution might be, that all participants blackhole-routers IPs are also announced with some special community and all participants drop all traffic but bgp traffic from IPs listed with that community to the blackhole RR destination(s) everywhere in there network. BR Jens > > - S > > -Original Message- > From: Nuno Vieira - nfsi telecom > Sent: Friday, February 13, 2009 07:13 > To: Jens Ott - PlusServer AG > Cc: nanog > Subject: Re: Global Blackhole Service > > > Hi Jens, > > I think we are in the same boat. > > We suffered the same problem often, on a lower magnitude, but if a project > like this exists those DDoS could even be almost near zero. > > This is somewhat similar to what Spamcop, and other folks do with SPAM today, > but applied on a diferent scope, say, BGP Blackhole. > > This service can span wide after just peers, opening the opportunity to > edge-to-edge DDoS mitigation. > > Say, a network in .pt or .de is beign attacked at large, and dst operators > inject the dst attacked source on the blackhole bgp feed... say that 100+ > other ops around the world use a cenário like this... this might be very > useful. > concers: the "autohority" or the "responsible" for maintaining this project, > must assure that OP A or OP B can *only* annouce chunks that below to him, > avoiding any case of hijack. > > We would be interested in participating in something like this. > > So, > >> My questions to all of you: >> >> - - What do you think about such service? > > It will be great. We are available to help. > >> - - Would you/your ASN participate in such a service? > > Yes. > >> - - Do you see some kind of usefull feature in such a service? > > Yes, a few thoughts above, some more might come up. > >> - - Do you have any comments? > > For starters, a few above. > > Regards, > --- > Nuno Vieira > nfsi telecom, lda. > > nuno.vie...@nfsi.pt > Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 > http://www.nfsi.pt/ > > > > - "Jens Ott - PlusServer AG" wrote: > > Hi, > > in the last 24 hours we received two denial of service attacks with > something > like 6-8GBit volume. It did not harm us too much, but e.g. one of our > upstreams got his Amsix-Port exploded. > > With our upstreams we have remote-blackhole sessions running where we > announce > /32 prefixes to blackhole at their edge, but this does not work with > our > peers. Also our Decix-Port received something like 2Gbit extra-traffic > during > this DoS. > > I can imagine, that for some peers, especially for the once having > only a thin > fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with > a DoS > and that they might be interested in dropping such traffic at their > edge. > > Well I could discuss with my peers (at least the once who might get in > trouble > with such issue) to do some individual config for some > blackhole-announcement, > but most probably I'm not the only one receiving DoS and who would be > interested in such setup. > > Therefore I had the following idea: Why not taking one of my old > routers and > set it up as blackhole-service. Then everyone who is interested could > set up a > session to there and > > 1.) announce /32 (/128) routes out of his prefixes to blackhole them > 2.) receive all the /32 (/128) announcements from the other peers with > the IPs > they want to have blackholed and rollout the blackhole to their > network. > > My questions to all of you: > > - What do you think about such service? > - Would you/your ASN participate in such a service? > - Do you see some kind of usefull feature in such a service? > - Do you have any comments? > > Thank you for telling me your opinions and best regards > - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVqvwACgkQMf0yjMLKfXp1OgCfcvTgueonvW4z0dOash9KWUb0 pjMAniZprPAM14H477EHy4I0Ccd9nqy4 =EH0/ -END PGP SIGNATURE-
Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, in the last 24 hours we received two denial of service attacks with something like 6-8GBit volume. It did not harm us too much, but e.g. one of our upstreams got his Amsix-Port exploded. With our upstreams we have remote-blackhole sessions running where we announce /32 prefixes to blackhole at their edge, but this does not work with our peers. Also our Decix-Port received something like 2Gbit extra-traffic during this DoS. I can imagine, that for some peers, especially for the once having only a thin fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with a DoS and that they might be interested in dropping such traffic at their edge. Well I could discuss with my peers (at least the once who might get in trouble with such issue) to do some individual config for some blackhole-announcement, but most probably I'm not the only one receiving DoS and who would be interested in such setup. Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and 1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network. My questions to all of you: - - What do you think about such service? - - Would you/your ASN participate in such a service? - - Do you see some kind of usefull feature in such a service? - - Do you have any comments? Thank you for telling me your opinions and best regards - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVilwACgkQMf0yjMLKfXpNuQCeKcicthIadISe7I+Xs5ZNHS+1 0qUAnRDkOY9/6kokq3Hf68BRQFfkP3xy =jKUA -END PGP SIGNATURE-