netsec-sig - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing

Subject: Internet2 Network Security SIG

List archive

[Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing

From: "Spears, Christopher M." <>
To: Grover Browning <>
Cc: David Farmer <>, "" <>, "" <>, "" <>
Subject: [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing
Date: Tue, 26 Jul 2016 14:19:51 +0000
Accept-language: en-US
Authentication-results: spf=pass (sender IP is 164.107.81.222) smtp.mailfrom=oar.net; internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=bestguesspass action=none header.from=oar.net;
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

> On Jul 26, 2016, at 9:44 AM, Grover Browning
> <>
> wrote:
>
> David,
>
> Do you see a downside to transiting?

(Answering for myself, not David :)

IMHO, it’s an issue of trust/verification. At a fixed point in time, you may
trust a certain peer network; however you cannot control who they peer with,
or what they accept from those peers, or their peers, etc. That said, the
route will be propagated, so you can always limit the origin-as you’ll accept
this from. Of course, you’re then back to a per-peer blackhole policy, just
using a well-known BGP community.

>
> For BLACKHOLE, everything I can think of begins with: "First, hijack the
> route …”

Blackholing is the ultimate DOS - you get your target /32s blackholed, and
you’ve won. Again, trust. This is all destination-based hinting, not
source-specific ingress filtering for DDOS, and has nothing to do with route
hijacking. BCP38, anti-virus/malware, anti-botnet efforts, and bleach are
the only solutions for DDOS at the moment. Route hijacking has a mixed bag
of arguably effective tools, as well.

-Chris

>
> -Grover
>
>
>> On Jul 25, 2016, at 7:55 PM, David Farmer
>> <>
>> wrote:
>>
>> if experiments show it's useful I'd support it, but right now I'm
>> skeptical how useful transiting this would be for us.
>>
>

[Security-WG] New Well-Known BGP Community for Blackholing, David Farmer, 07/25/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Paul Howell, 07/26/2016
  - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Brad Fleming, 07/26/2016
    - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Christian Wheeler, 07/26/2016
  - Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Michael H Lambert, 07/26/2016
    - Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Jeff Bartig, 07/26/2016
      - RE: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Michael Hare, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Grover Browning, 07/26/2016
  - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Spears, Christopher M., 07/26/2016
    - [Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing, Michael Hare, 07/26/2016
    - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Bill Jensen, 07/26/2016
      - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
  - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- <Possible follow-up(s)>
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, John Kristoff, 07/26/2016
  - Re: [Security-WG] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
    - Re: [Security-WG] New Well-Known BGP Community for Blackholing, Paul Howell, 07/27/2016
      - RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
        
        Re: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Matthew J Zekauskas, 07/27/2016
        
        RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016

List archive

[Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing