Re: Global Blackhole Service
Jens Ott - PlusServer AG wrote: Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and I do something similar on our network with a RTBH trigger router. I peer with it from my edges that are capable of handling that many BGP routes. I feed into it hosts that scan our networks looking for running SSH daemons and open proxies on specific default ports. With uRPF on all our edges it will drop traffic whether the target IP is the source or the destination. Works slick. The Cisco Press Router Security Strategies book has good examples. A trustworthy source for BGP blacklists of sorts would be an excellent thing IMHO. I'd love to be able to reliably drop traffic from malicious hosts before they scan our network and end up in my netflow logs. Trust would be a big issue though. Justin
Re: Global Blackhole Service
[] I keep reading this subject as Global Backhoe Service, ie, the sworn enemy of NANOG :) Mike
Re: Global Blackhole Service
On Fri, 13 Feb 2009 15:57:32 +0100 Jens Ott - PlusServer AG j@plusserver.de wrote: in the last 24 hours we received two denial of service attacks with something like 6-8GBit volume. It did not harm us too much, but e.g. one of our upstreams got his Amsix-Port exploded. [...] Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and Hi Jens, We do something similar globally with our bogon route server project. We'd be happy to host and maintain a similar setup. John
Re: Global Blackhole Service
where you lose me is where the attacker must always win. Do you have a miraculous way to stop DDOS? Is there now a way to quickly and efficiently track down forged packets? Is there a remedy to shutting down the *known* botnets, not to mention the unknown ones? there are no silver bullets. anyone who says otherwise is selling something. The attacker will always win if he has a large enough attack platform/... While all this is worked out, we have one solution we know works. we had to destroy the village in order to save it. If we null route the victim IP, the traffic stops at the null route. Since most attackers don't care to DOS the ISP, but just to take care of that end point, they usually don't start shifting targets to try and keep the ISP itself out. if you null route the victim IP, the victim is off the air, so the DDoS is a success even though it mostly does not reach its target. you're proposing that we lower an attacker's costs. in a war of economics that's bad juju, and all wars are about economics. there are no silver bullets. isp's who permit random source addresses on packets leaving their networks are creating a global hazard, and since they are defending their practices on the basis of thin profit margins it's right to call this the chemical polluter business model. as long as the rest of us continue to peer with these chemical polluters, then anyone on the internet can be the victim of a devastating DDoS at any time and at low cost. that's not a silver bullet however. if most ISP's controlled their source addresses there would still be DDoS's and then the new problem would be lack of real-time cooperation along the lines of hi i'm in the XYZ NOC and we're tracking a DDoS against one of our customers and 14% of it is coming from your address space, here's the summary of timestamp-ip-volume and here's a pointer to your share of the netflows, can you remediate? the answer will start out just like today's BCP38 answer, no we can't afford the staff or technology to do that, and then lawyers would worry about liability, and we'd all have to worry about monopolies, censorship, social engineering, and so on. in all of these cases the problem is the margins themselves. just as the full cost of a fast food cheeseburger is probably about $20 if you count all the costs that the corporations are shifting onto society, so it is that the full cost of a 3MBit/sec DSL line is probably $300/month if you count all the costs that ISPs shift onto digital society. the usual argument goes (and i'm just putting it out here to save time, though i'm betting several respondants will not read closely and so will just spew this out as though it's their original idea and as though i had not dismissed it many times over the decades): we cannot build a digital economy without cost shifting since noone would pay what it really costs during the rampup. i don't dignify that with a reply, either here in effigy, or if anyone happens to trot it out again.
Re: Global Blackhole Service
On Feb 14, 2009, at 5:43 PM, Florian Weimer wrote: * Steven M. Bellovin: As Randy and Valdis have pointed out, if this isn't done very carefully it's an open invitation to a new, very effective DoS technique. You can't do this without authoritative knowledge of exactly who owns any prefix; you also have to be able to authenticate the request to blackhole it. Those two points are *hard*. If you want to run a public exchange point, you need to solve the same announcement validation problem. Multiple organizations appear to do it successfully, so it can't be that difficult. No you don't. And yes it is. To be clear, I am not saying it should or should not be done, just that your comparison is invalid. -- TTFN, patrick
Re: Global Blackhole Service
a minor editorial comment: Jens Ott - PlusServer AG j@plusserver.de writes: Jack Bates schrieb: Paul Vixie wrote: Do you have a miraculous way to stop DDOS? Is there now a way to quickly and efficiently track down forged packets? Is there a remedy to shutting down the *known* botnets, not to mention the unknown ones? the quoted text was written by jack bates, not paul vixie. -- Paul Vixie
Re: Global Blackhole Service
On Fri, Feb 13, 2009 at 8:27 PM, Jens Ott - PlusServer AG j@plusserver.de wrote: - - What do you think about such service? - - Would you/your ASN participate in such a service? - - Do you see some kind of usefull feature in such a service? - - Do you have any comments? Ah. rbl.maps.vix.com from about a decade back when it was available as a bgp feed. But only for ddos sources. srs
Re: Global Blackhole Service
would this itself not be a dos path? randy
Re: Global Blackhole Service
In that way, Spamcop and other folks are DOS'ing for years aswell. And in fact, by denying things around, they are just scrubing and filtering, to make our day happier, avoiding huge masses of spam and useless crap. I don't see it the way you do. A project like this, like also spamcop, are great paths to take out the scum and undesired things from the net. regards, --- Nuno Vieira nfsi telecom, lda. nuno.vie...@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ - Randy Bush ra...@psg.com wrote: would this itself not be a dos path? randy
Re: Global Blackhole Service
Hi Suresh, But in the meanwhile, a decade later, it does not longer exist. At least, i can't reach that host, and i was unable to find working documentation on google of how about this project works, today. In fact, the first link that google gave out, says that this project is dead at least 2 years ago. http://www.dnsbl.com/2007/02/status-of-rblmapsvixcom-invalid-domain.html I think that we all have a real opportunity here for make something that can be useful to all. And, we are not talk of spam here, but, to mitigate time, money and patience consuming DDoS attacks, which often are easier to mitigate only at the Source and at the Destination, while at Destinatation, sink is the only viable solution that is out there today. regards, --- Nuno Vieira nfsi telecom, lda. nuno.vie...@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ - Suresh Ramasubramanian ops.li...@gmail.com wrote: On Fri, Feb 13, 2009 at 8:27 PM, Jens Ott - PlusServer AG j@plusserver.de wrote: - - What do you think about such service? - - Would you/your ASN participate in such a service? - - Do you see some kind of usefull feature in such a service? - - Do you have any comments? Ah. rbl.maps.vix.com from about a decade back when it was available as a bgp feed. But only for ddos sources. srs
Re: Global Blackhole Service
On Fri, 13 Feb 2009 15:57:32 +0100, Jens Ott - PlusServer AG said: Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and 1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network. How do you vet proposed new entries to make sure that some miscreant doesn't DoS a legitimate site by claiming it is in need of black-holing? Note that it's a different problem space than a bogon BGP feed or a spam-source BGP feed - if the Cymru guys take another 6 hours to do a proper paperwork and background check to verify a bogon, or if Paul and company take another day to verify something really *is* a cesspit of spam sources, it doesn't break the basic concept or usability of the feed. You usually don't *have* a similar luxury if you're trying to deal with a DDoS, because those are essentially a real-time issue. Oh, and cleaning up an entry in a timely fashion is also important, otherwise an attacker can launch a DDoS, get the target into the feed, and walk away... pgpbpAddW2Wfu.pgp Description: PGP signature
Re: Global Blackhole Service
DDoS drones - especially with botnets - can produce a really large zone To start with google spamhaus drop list. Then look at the cbl and see if you think its worth using as a bgp feed On Fri, Feb 13, 2009 at 9:20 PM, Nuno Vieira - nfsi telecom nuno.vie...@nfsi.pt wrote: Hi Suresh, But in the meanwhile, a decade later, it does not longer exist. At least, i can't reach that host, and i was unable to find working documentation on google of how about this project works, today. In fact, the first link that google gave out, says that this project is dead at least 2 years ago. http://www.dnsbl.com/2007/02/status-of-rblmapsvixcom-invalid-domain.html I think that we all have a real opportunity here for make something that can be useful to all. And, we are not talk of spam here, but, to mitigate time, money and patience consuming DDoS attacks, which often are easier to mitigate only at the Source and at the Destination, while at Destinatation, sink is the only viable solution that is out there today. regards, --- Nuno Vieira nfsi telecom, lda. nuno.vie...@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ - Suresh Ramasubramanian ops.li...@gmail.com wrote: On Fri, Feb 13, 2009 at 8:27 PM, Jens Ott - PlusServer AG j@plusserver.de wrote: - - What do you think about such service? - - Would you/your ASN participate in such a service? - - Do you see some kind of usefull feature in such a service? - - Do you have any comments? Ah. rbl.maps.vix.com from about a decade back when it was available as a bgp feed. But only for ddos sources. srs -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Global Blackhole Service
valdis.kletni...@vt.edu wrote: How do you vet proposed new entries to make sure that some miscreant doesn't DoS a legitimate site by claiming it is in need of black-holing? Note that it's a different problem space than a bogon BGP feed or a spam-source BGP feed - if the Cymru guys take another 6 hours to do a proper paperwork and background check to verify a bogon, or if Paul and company take another day to verify something really *is* a cesspit of spam sources, it doesn't break the basic concept or usability of the feed. Presumably, the route server would have to have the same guidelines as issued by service providers. ie, /32 networks injected should come from authenticated feeds and fall within the netblock range owned by the injector. So one extra set of ACL's for each injector to upkeep. I believe what is being suggested is just one step beyond what many providers give to BGP customers to extend blackholes out. Oh, and cleaning up an entry in a timely fashion is also important, otherwise an attacker can launch a DDoS, get the target into the feed, and walk away... This also would be decided by the injecting provider. More of a Hey, one of my IPs is being DDOS'd, please drop traffic to it to protect the rest of my network. The downside to widespread use, is that it makes tracking the problem on the other side of the blocks near impossible. In all cases, once a blackhole is initiated anywhere, the DDOS has been successful. We use automatic community changes to accept /32 blackholes from customers, verify them, then send them on to peers that also support /32 blackholes with appropriate communities. Jack Jack
Re: Global Blackhole Service
Ok, however, what i am talking about is a competelly diferent thing, and i think that my thoughts are alligned with Jens. We want to have a Sink-BGP-BL, based on Destination. Imagine, i as an ISP, host a particular server that is getting nn Gbps of DDoS attack. I null route it, and start advertising a /32 to my upstream providers with a community attached, for them to null route it at their network. However, the attacks continue going, on and on, often flooding internet exchange connections and so. A solution like this, widelly used, would prevent packets to leave their home network, mitigating with effective any kind of DDoS (or packet flooding). Obviously, we need a few people to build this (A Website, an organization), where when a new ISP connects is added to the system, a prefix list should be implemented, preventing that ISP to announce IP addresses that DON'T belong to him. The Sink-BGP-BL sends a full feed of what it gots to Member ISP's, and those member ISP's, should apply route-maps or whatever they want, but, in the end they want to discard the traffic to those prefixes (ex: Null0 or /dev/null). This is a matter or getting enough people to kick this off, to build a website, to establish one or two route-servers and to give use to. Once again, i am interested on this, if others are aswell, let know. This should be a community-driven project. regards, --- Nuno Vieira nfsi telecom, lda. nuno.vie...@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ - Valdis Kletnieks valdis.kletni...@vt.edu wrote: How do you vet proposed new entries to make sure that some miscreant doesn't DoS a legitimate site by claiming it is in need of black-holing? Note that it's a different problem space than a bogon BGP feed or a spam-source BGP feed - if the Cymru guys take another 6 hours to do a proper paperwork and background check to verify a bogon, or if Paul and company take another day to verify something really *is* a cesspit of spam sources, it doesn't break the basic concept or usability of the feed. You usually don't *have* a similar luxury if you're trying to deal with a DDoS, because those are essentially a real-time issue. Oh, and cleaning up an entry in a timely fashion is also important, otherwise an attacker can launch a DDoS, get the target into the feed, and walk away...
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Skywing schrieb: Of course, whomever hosts such a service becomes an attractive DoS target themselves if it were ever to gain real traction in the field. There is also the reverse-DoS issue of an innocent party getting into the feed if anyone can peer with it. You are right, and that's also what I am currently thinking about. Well, one solution might be, that all participants blackhole-routers IPs are also announced with some special community and all participants drop all traffic but bgp traffic from IPs listed with that community to the blackhole RR destination(s) everywhere in there network. BR Jens - S -Original Message- From: Nuno Vieira - nfsi telecom nuno.vie...@nfsi.pt Sent: Friday, February 13, 2009 07:13 To: Jens Ott - PlusServer AG j@plusserver.de Cc: nanog nanog@nanog.org Subject: Re: Global Blackhole Service Hi Jens, I think we are in the same boat. We suffered the same problem often, on a lower magnitude, but if a project like this exists those DDoS could even be almost near zero. This is somewhat similar to what Spamcop, and other folks do with SPAM today, but applied on a diferent scope, say, BGP Blackhole. This service can span wide after just peers, opening the opportunity to edge-to-edge DDoS mitigation. Say, a network in .pt or .de is beign attacked at large, and dst operators inject the dst attacked source on the blackhole bgp feed... say that 100+ other ops around the world use a cenário like this... this might be very useful. concers: the autohority or the responsible for maintaining this project, must assure that OP A or OP B can *only* annouce chunks that below to him, avoiding any case of hijack. We would be interested in participating in something like this. So, My questions to all of you: - - What do you think about such service? It will be great. We are available to help. - - Would you/your ASN participate in such a service? Yes. - - Do you see some kind of usefull feature in such a service? Yes, a few thoughts above, some more might come up. - - Do you have any comments? For starters, a few above. Regards, --- Nuno Vieira nfsi telecom, lda. nuno.vie...@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ - Jens Ott - PlusServer AG j@plusserver.de wrote: Hi, in the last 24 hours we received two denial of service attacks with something like 6-8GBit volume. It did not harm us too much, but e.g. one of our upstreams got his Amsix-Port exploded. With our upstreams we have remote-blackhole sessions running where we announce /32 prefixes to blackhole at their edge, but this does not work with our peers. Also our Decix-Port received something like 2Gbit extra-traffic during this DoS. I can imagine, that for some peers, especially for the once having only a thin fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with a DoS and that they might be interested in dropping such traffic at their edge. Well I could discuss with my peers (at least the once who might get in trouble with such issue) to do some individual config for some blackhole-announcement, but most probably I'm not the only one receiving DoS and who would be interested in such setup. Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and 1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network. My questions to all of you: - What do you think about such service? - Would you/your ASN participate in such a service? - Do you see some kind of usefull feature in such a service? - Do you have any comments? Thank you for telling me your opinions and best regards - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVqvwACgkQMf0yjMLKfXp1OgCfcvTgueonvW4z0dOash9KWUb0 pjMAniZprPAM14H477EHy4I0Ccd9nqy4 =EH0/ -END PGP SIGNATURE-
Re: Global Blackhole Service
On Fri, 13 Feb 2009 16:41:41 + (WET) Nuno Vieira - nfsi telecom nuno.vie...@nfsi.pt wrote: Ok, however, what i am talking about is a competelly diferent thing, and i think that my thoughts are alligned with Jens. We want to have a Sink-BGP-BL, based on Destination. Imagine, i as an ISP, host a particular server that is getting nn Gbps of DDoS attack. I null route it, and start advertising a /32 to my upstream providers with a community attached, for them to null route it at their network. However, the attacks continue going, on and on, often flooding internet exchange connections and so. A solution like this, widelly used, would prevent packets to leave their home network, mitigating with effective any kind of DDoS (or packet flooding). Obviously, we need a few people to build this (A Website, an organization), where when a new ISP connects is added to the system, a prefix list should be implemented, preventing that ISP to announce IP addresses that DON'T belong to him. The Sink-BGP-BL sends a full feed of what it gots to Member ISP's, and those member ISP's, should apply route-maps or whatever they want, but, in the end they want to discard the traffic to those prefixes (ex: Null0 or /dev/null). This is a matter or getting enough people to kick this off, to build a website, to establish one or two route-servers and to give use to. Once again, i am interested on this, if others are aswell, let know. This should be a community-driven project. In other words, a legitimate prefix hijacking service... As Randy and Valdis have pointed out, if this isn't done very carefully it's an open invitation to a new, very effective DoS technique. You can't do this without authoritative knowledge of exactly who owns any prefix; you also have to be able to authenticate the request to blackhole it. Those two points are *hard*. I also note that the scheme as described here is incompatible with more or less any possible secured BGP, since by definition it involves an AS that doesn't own a prefix advertising a route to it. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 @jack: sorry for duplicate ... pressed reply instead of reply-all ;) Jack Bates schrieb: valdis.kletni...@vt.edu wrote: Presumably, the route server would have to have the same guidelines as issued by service providers. ie, /32 networks injected should come from authenticated feeds and fall within the netblock range owned by the injector. So one extra set of ACL's for each injector to upkeep. I believe what is being suggested is just one step beyond what many providers give to BGP customers to extend blackholes out. Exactly that's the way I intended. I know that it's a not to small thing to maintain such a system, we are running it successfully for years with both, downstream-bgp-customers and upstreams. Even with quiet a small number of downstreams there are several changes each month (new IP-Space, drop-off of PI moved away from the customer ...), but I think it would be a manageable thing to keep it up2date when preparing some automatism. E.g. a automated prefix-list-generator requesting the authorization (e.g. automated mail with link including authorization-hash) for blackholing at the AS-Owner before accepting prefixes ... Oh, and cleaning up an entry in a timely fashion is also important, otherwise an attacker can launch a DDoS, get the target into the feed, and walk away... This also would be decided by the injecting provider. More of a Hey, one of my IPs is being DDOS'd, please drop traffic to it to protect the rest of my network. The downside to widespread use, is that it makes tracking the problem on the other side of the blocks near impossible. In all cases, once a blackhole is initiated anywhere, the DDOS has been successful. Well, for that single IP the DDoS was sucessfull, but looking at the issue I had yesterday, it's to protect other customers also getting into trouble due to this DoS. The complete rack had 1GBit-Uplink, which is normally absolutely sufficient for 20 servers. Well one single server was under attack, but 19 other innocent customers were not reachable. And, the even bigger problem was, the AMSIX-Port of one of my upstreams was filled to death due to this DoS and therefore several thousand customers had enormous packetloss due to one single destination-ip. Therefore it's to decide what to prefer, one single customer dead or thousands of angry customers. And I know that I prefer to protect my own backbone under these circumstances. We use automatic community changes to accept /32 blackholes from customers, verify them, then send them on to peers that also support /32 blackholes with appropriate communities. That's what we currently also do and until now we never had any problem with this. BR Jens Jack Jack - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVq0gACgkQMf0yjMLKfXqq+QCfW7FzEeXE8MsN3DJQcn8B/ezE EIwAoJttNgusWNFu+ebOswIBw0g6734w =5x5v -END PGP SIGNATURE-
Re: Global Blackhole Service
Paul Vixie wrote: i think Spamhaus and Cymru are way ahead of you in implementing such a thing, and it's likely that there are even commercial alternatives to Trend Micro although i have not kept up on those details. I think there's a misunderstanding from what I've read about what is being blackholed. We are not talking about blackholing the senders, but a massive scale method of blackholing the victims at the victim's request to protect infrastructure. Currently this type of service usually doesn't extend beyond one or two ASs and depending on traffic flows can still cause damage, especially through exchange points. With enough support and use, this would allow a larger portion of bad traffic to be null routed closer to the sender origination points. Since the null routing BGP servers would expect a larger routing table from these /32 networks, they would be placed at key points capable of handling the larger tables; compared to just allowing the /32's out into the wild and possibly exceeding route/memory constraints. It can also be used as authoritative information that an IP is undergoing a DOS attack, and large volumes of connections to that IP should be considered suspect. I consider this a much more useful method of detecting DOS traffic leaving your infected users than the emails which are usually sent out by those being hit by DOS. Jack
Re: Global Blackhole Service
Jens, I would be interested in participating with a destination blackhole service, so long as peers were authenticated and only authorized to advertise /32s out of space that they are assigned -- hopefully the same OrgID is used for the ASN as the IP allocations. However, a blackhole service based on sources would be out of the question altogether in my book, unless paired with a number of third parties that could vet the badness of those source IPs, as is done with spam zombies. Even then I'd be very nervous about it from a causes more [potential] problems than it fixes standpoint, no matter how cool it would be to defang a DDoS. As for the memory requirements / oh no! too many routes! issue, that would be a non-issue for me. Feel free to contact me off-list if you're serious about starting this project. I think that it would be worth it to talk to the Team Cymru guys to see if they'd be interested in this. -Tico Jens Ott - PlusServer AG wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, in the last 24 hours we received two denial of service attacks with something like 6-8GBit volume. It did not harm us too much, but e.g. one of our upstreams got his Amsix-Port exploded. With our upstreams we have remote-blackhole sessions running where we announce /32 prefixes to blackhole at their edge, but this does not work with our peers. Also our Decix-Port received something like 2Gbit extra-traffic during this DoS. I can imagine, that for some peers, especially for the once having only a thin fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with a DoS and that they might be interested in dropping such traffic at their edge. Well I could discuss with my peers (at least the once who might get in trouble with such issue) to do some individual config for some blackhole-announcement, but most probably I'm not the only one receiving DoS and who would be interested in such setup. Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and 1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network. My questions to all of you: - - What do you think about such service? - - Would you/your ASN participate in such a service? - - Do you see some kind of usefull feature in such a service? - - Do you have any comments? Thank you for telling me your opinions and best regards - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVilwACgkQMf0yjMLKfXpNuQCeKcicthIadISe7I+Xs5ZNHS+1 0qUAnRDkOY9/6kokq3Hf68BRQFfkP3xy =jKUA -END PGP SIGNATURE-
Re: Global Blackhole Service
blackholing victims is an interesting economics proposition. you're saying the attacker must always win but that they must not be allowed to affect the infrastructure. and you're saying victims will request this, since they know they can't withstand the attack and don't want to be held responsible for damage to the infrastructure. where you lose me is where the attacker must always win.
Re: Global Blackhole Service
Listen online to my favorite hip hop radio station http://www.Jellyradio.com On Feb 13, 2009, at 9:35 AM, Paul Vixie vi...@isc.org wrote: blackholing victims is an interesting economics proposition. you're saying the attacker must always win but that they must not be allowed to affect the infrastructure. and you're saying victims will request this, since they know they can't withstand the attack and don't want to be held responsible for damage to the infrastructure. where you lose me is where the attacker must always win. Perhaps removing the challenge from the attacker will bore them and they lose interest? However if an attackers goal is to put someone out of business, they will keep it up until the deed is done. Identifying the attacker is important. They must be the one who is in trouble, not the victim. We have seen attackers extorting customers for money with things like 100k wired to Nevis bank account or attack continues. In any case I do not believe a victim should be responsible for infrastructure damage caused by some random criminal attacking them. While I understand that it's that customer receiving the attack; the providers must work with the customer to trace it back to the source. A hacker who thinks the customer is on a security weak provider will return seeking your other customers. However if the hacker feels you are security savvy then he may choose another target. Everyone wins. Also, rather than penalize the victim for damage, you could always unplug them to interdict the damage. By going after the hacker, you could prosecute and perhaps gain some nice press/media about the strength of your orginization as a side dish to the satisfying meal of eating your enemy?
Re: Global Blackhole Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jack Bates schrieb: Paul Vixie wrote: Do you have a miraculous way to stop DDOS? Is there now a way to quickly and efficiently track down forged packets? Is there a remedy to shutting down the *known* botnets, not to mention the unknown ones? This is another issue, and _all_ of us are in charge to keep their net clean from outgoing DoS. Most outgoing DoS inside our network are mitigated - ok most of the time the dos'ing server is being disconnected - in less than 10 minutes, as we do not only check what's coming in, but also check what our customers are sending out. And as soon as someone forges IPs, he's disconnected unless we know what was happening (mostly hacked servers) and the issue was fixed. As it is the nature of DoS that there are lots of packets send, they can easily be identified in (s|c|net)flows ... unfortunately there are _lots_ of ISP not having automated mechanism for misuse-detection and mitigation, or if they have some, they don't care about alarms. Therefore I agree, the only practicable way to protect the majority of customers is to blackhole the IP under attack. Even if the DoS is not DDoS, but coming from one single source... 99,9% of any emails to any NOC worldwide is not being answered in less than one hour (especially in out-shift-hours) and from the 0.1% left I bet 99,9% of the DoS are also not stopped during this hour. And one hour of DoS may make some small ISP loose more money then they earn per month! While all this is worked out, we have one solution we know works. If we null route the victim IP, the traffic stops at the null route. Since most attackers don't care to DOS the ISP, but just to take care of that end point, they usually don't start shifting targets to try and keep the ISP itself out. ACK! Jack - -- === Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVv5EACgkQMf0yjMLKfXptpQCeNNgDOxXWoTBHA5W5yCwifcG2 IasAnAh06DE3qry/puXzBs05pBfIMSS/ =boMf -END PGP SIGNATURE-
Re: Global Blackhole Service
On Fri, Feb 13, 2009 at 1:04 PM, Jack Bates jba...@brightok.net wrote: Paul Vixie wrote: blackholing victims is an interesting economics proposition. you're saying the attacker must always win but that they must not be allowed to affect the infrastructure. and you're saying victims will request this, since they know they can't withstand the attack and don't want to be held responsible for damage to the infrastructure. Blackholing victims is what is current practice. For each stage of affected it is A current practice.. so is filtering, so is scrubbing... there is no one answer for this. infrastructure, the business/provider will make requests to their peers to blackhole the victim IP to protect the bandwidth caps or router throughput caps. or cause no one really cares about: your.mama.wears.combat.boots.tobed.com ... or other silly 95%-of attacked, things. where you lose me is where the attacker must always win. Do you have a miraculous way to stop DDOS? Is there now a way to quickly and There are purchasable answers to this problem... 3 (at least) providers in the US (and at least one now offers it globally) offer traffic scrubbing services. I know that one offers it at a very reasonable price even... efficiently track down forged packets? Is there a remedy to shutting down you can track streams of forged packets, but that's not super important here. Forged packets actually make this part of the problem (stopping the dos) easier, not harder. the *known* botnets, not to mention the unknown ones? there are lots of folks tracking and shutting down botnets, it's not horribly effective in stopping this sort of thing. I can vividly recall tracking down 4 nights in a row the same 'botnet' (same controller person, different CC and mostly different bots) as they were being used to attack a customer of mine at the time. This with the cooperation of 2 other very large ISP's in the US and one vendor security team even. In the end though a simple scrubbing solution was deemed the simplest answer for all involved. The attacker will always win if he has a large enough attack For extreme cases this is true, but there are quite a lot of things on the spectrum which don't require super human efforts, and don't even require intervention from the ISP if proper precautions are taken at the outset. -chris
RE: Global Blackhole Service
I think this solution addresses a number of issues that the current blackhole process lacks. Generally when a blackhole is sent to your provider, they in turn pass that on to the rest of their routers, dropping the traffic as soon as it hits their network. The traffic is still taking up just as much capacity up to that point. Were a system implemented as discussed, providers are able to prevent traffic that is known to be malicious from even exiting their network, which in the end works out better for everyone. -- Regards, Jake Mertel Nobis Technology Group, L.L.C. Web: http://www.nobistech.net/ Phone: (312) 281-5101 ext. 401 Fax: (808) 356-0417 Mail: 201 West Olive Street Second Floor, Suite 2B Bloomington, IL 61701 -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Friday, February 13, 2009 1:59 PM To: NANOG list Subject: Re: Global Blackhole Service On Fri, Feb 13, 2009 at 1:04 PM, Jack Bates jba...@brightok.net wrote: Paul Vixie wrote: blackholing victims is an interesting economics proposition. you're saying the attacker must always win but that they must not be allowed to affect the infrastructure. and you're saying victims will request this, since they know they can't withstand the attack and don't want to be held responsible for damage to the infrastructure. Blackholing victims is what is current practice. For each stage of affected it is A current practice.. so is filtering, so is scrubbing... there is no one answer for this. infrastructure, the business/provider will make requests to their peers to blackhole the victim IP to protect the bandwidth caps or router throughput caps. or cause no one really cares about: your.mama.wears.combat.boots.tobed.com ... or other silly 95%-of attacked, things. where you lose me is where the attacker must always win. Do you have a miraculous way to stop DDOS? Is there now a way to quickly and There are purchasable answers to this problem... 3 (at least) providers in the US (and at least one now offers it globally) offer traffic scrubbing services. I know that one offers it at a very reasonable price even... efficiently track down forged packets? Is there a remedy to shutting down you can track streams of forged packets, but that's not super important here. Forged packets actually make this part of the problem (stopping the dos) easier, not harder. the *known* botnets, not to mention the unknown ones? there are lots of folks tracking and shutting down botnets, it's not horribly effective in stopping this sort of thing. I can vividly recall tracking down 4 nights in a row the same 'botnet' (same controller person, different CC and mostly different bots) as they were being used to attack a customer of mine at the time. This with the cooperation of 2 other very large ISP's in the US and one vendor security team even. In the end though a simple scrubbing solution was deemed the simplest answer for all involved. The attacker will always win if he has a large enough attack For extreme cases this is true, but there are quite a lot of things on the spectrum which don't require super human efforts, and don't even require intervention from the ISP if proper precautions are taken at the outset. -chris
Re: Global Blackhole Service
* Valdis Kletnieks: On Fri, 13 Feb 2009 15:57:32 +0100, Jens Ott - PlusServer AG said: Therefore I had the following idea: Why not taking one of my old routers and set it up as blackhole-service. Then everyone who is interested could set up a session to there and 1.) announce /32 (/128) routes out of his prefixes to blackhole them 2.) receive all the /32 (/128) announcements from the other peers with the IPs they want to have blackholed and rollout the blackhole to their network. How do you vet proposed new entries to make sure that some miscreant doesn't DoS a legitimate site by claiming it is in need of black-holing? The same way you prevent rogue announcements. 8-/ I guess an IX would be able to perform some validation of blacklisting requests, or at least provide a contractual framework. I don't think a global solution exists (beyond the use my route server approach, which is quite global--until there are two of them).
Re: Global Blackhole Service
eventually, the rpki will give you the first half, authentication of the owner of the ip space. this leaves, as smb hinted, securing the request path from the black-hole requestor to the service and of the service to the users. smb: You can't do this without authoritative knowledge of exactly who owns any prefix; you also have to be able to authenticate the request to blackhole it. Those two points are *hard*. randy
Re: Global Blackhole Service
Nuno et all, Count me in for this.. Cheers, --Ricardo http://www.cs.ucla.edu/~rveloso On Feb 13, 2009, at 8:41 AM, Nuno Vieira - nfsi telecom wrote: Ok, however, what i am talking about is a competelly diferent thing, and i think that my thoughts are alligned with Jens. We want to have a Sink-BGP-BL, based on Destination. Imagine, i as an ISP, host a particular server that is getting nn Gbps of DDoS attack. I null route it, and start advertising a /32 to my upstream providers with a community attached, for them to null route it at their network. However, the attacks continue going, on and on, often flooding internet exchange connections and so. A solution like this, widelly used, would prevent packets to leave their home network, mitigating with effective any kind of DDoS (or packet flooding). Obviously, we need a few people to build this (A Website, an organization), where when a new ISP connects is added to the system, a prefix list should be implemented, preventing that ISP to announce IP addresses that DON'T belong to him. The Sink-BGP-BL sends a full feed of what it gots to Member ISP's, and those member ISP's, should apply route-maps or whatever they want, but, in the end they want to discard the traffic to those prefixes (ex: Null0 or /dev/null). This is a matter or getting enough people to kick this off, to build a website, to establish one or two route-servers and to give use to. Once again, i am interested on this, if others are aswell, let know. This should be a community-driven project. regards, --- Nuno Vieira nfsi telecom, lda. nuno.vie...@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ - Valdis Kletnieks valdis.kletni...@vt.edu wrote: How do you vet proposed new entries to make sure that some miscreant doesn't DoS a legitimate site by claiming it is in need of black-holing? Note that it's a different problem space than a bogon BGP feed or a spam-source BGP feed - if the Cymru guys take another 6 hours to do a proper paperwork and background check to verify a bogon, or if Paul and company take another day to verify something really *is* a cesspit of spam sources, it doesn't break the basic concept or usability of the feed. You usually don't *have* a similar luxury if you're trying to deal with a DDoS, because those are essentially a real-time issue. Oh, and cleaning up an entry in a timely fashion is also important, otherwise an attacker can launch a DDoS, get the target into the feed, and walk away...