Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing

Subject: Internet2 Network Security SIG

List archive

[Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing


Chronological Thread 
  • From: Michael Hare <>
  • To: "" <>, Grover Browning <>
  • Cc: David Farmer <>, "" <>, "" <>
  • Subject: [Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing
  • Date: Tue, 26 Jul 2016 14:30:51 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Short version: a great idea, just not a top priority IMHO.

Longer version: AS 3128, University of Wisconsin System, may transition
when/if JunOS supports it as a baked in constant. Internally we have a
community that blackholes/flowspecs upstream from AS 3128 but not within AS
3128 [to keep our quasi enterprise functional], so I'll have custom stuff in
play regardless of these efforts.

-Michael

> -----Original Message-----
> From:
>
> [
> ]
> On Behalf Of Spears, Christopher M.
> Sent: Tuesday, July 26, 2016 9:20 AM
> To: Grover Browning
> <>
> Cc: David Farmer
> <>;
>
> ;
> security-
> ;
>
>
> Subject: [Security-WG] Re: [NTAC] New Well-Known BGP Community for
> Blackholing
>
> > On Jul 26, 2016, at 9:44 AM, Grover Browning
> > <>
> > wrote:
> >
> > David,
> >
> > Do you see a downside to transiting?
>
>
> (Answering for myself, not David :)
>
> IMHO, it’s an issue of trust/verification. At a fixed point in time, you
> may trust
> a certain peer network; however you cannot control who they peer with, or
> what they accept from those peers, or their peers, etc. That said, the
> route
> will be propagated, so you can always limit the origin-as you’ll accept
> this from.
> Of course, you’re then back to a per-peer blackhole policy, just using a
> well-
> known BGP community.
>
> >
> > For BLACKHOLE, everything I can think of begins with: "First, hijack the
> > route
> …”
>
> Blackholing is the ultimate DOS - you get your target /32s blackholed, and
> you’ve won. Again, trust. This is all destination-based hinting, not
> source-
> specific ingress filtering for DDOS, and has nothing to do with route
> hijacking.
> BCP38, anti-virus/malware, anti-botnet efforts, and bleach are the only
> solutions for DDOS at the moment. Route hijacking has a mixed bag of
> arguably effective tools, as well.
>
> -Chris
>
>
> >
> > -Grover
> >
> >
> >> On Jul 25, 2016, at 7:55 PM, David Farmer
> >> <>
> >> wrote:
> >>
> >> if experiments show it's useful I'd support it, but right now I'm
> >> skeptical how
> useful transiting this would be for us.
> >>
> >




Archive powered by MHonArc 2.6.19.

Top of Page