netsec-sig - [Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing
Subject: Internet2 Network Security SIG
List archive
- From: Michael Hare <>
- To: "" <>, Grover Browning <>
- Cc: David Farmer <>, "" <>, "" <>
- Subject: [Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing
- Date: Tue, 26 Jul 2016 14:30:51 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Short version: a great idea, just not a top priority IMHO.
Longer version: AS 3128, University of Wisconsin System, may transition
when/if JunOS supports it as a baked in constant. Internally we have a
community that blackholes/flowspecs upstream from AS 3128 but not within AS
3128 [to keep our quasi enterprise functional], so I'll have custom stuff in
play regardless of these efforts.
-Michael
> -----Original Message-----
> From:
>
> [
> ]
> On Behalf Of Spears, Christopher M.
> Sent: Tuesday, July 26, 2016 9:20 AM
> To: Grover Browning
> <>
> Cc: David Farmer
> <>;
>
> ;
> security-
> ;
>
>
> Subject: [Security-WG] Re: [NTAC] New Well-Known BGP Community for
> Blackholing
>
> > On Jul 26, 2016, at 9:44 AM, Grover Browning
> > <>
> > wrote:
> >
> > David,
> >
> > Do you see a downside to transiting?
>
>
> (Answering for myself, not David :)
>
> IMHO, it’s an issue of trust/verification. At a fixed point in time, you
> may trust
> a certain peer network; however you cannot control who they peer with, or
> what they accept from those peers, or their peers, etc. That said, the
> route
> will be propagated, so you can always limit the origin-as you’ll accept
> this from.
> Of course, you’re then back to a per-peer blackhole policy, just using a
> well-
> known BGP community.
>
> >
> > For BLACKHOLE, everything I can think of begins with: "First, hijack the
> > route
> …”
>
> Blackholing is the ultimate DOS - you get your target /32s blackholed, and
> you’ve won. Again, trust. This is all destination-based hinting, not
> source-
> specific ingress filtering for DDOS, and has nothing to do with route
> hijacking.
> BCP38, anti-virus/malware, anti-botnet efforts, and bleach are the only
> solutions for DDOS at the moment. Route hijacking has a mixed bag of
> arguably effective tools, as well.
>
> -Chris
>
>
> >
> > -Grover
> >
> >
> >> On Jul 25, 2016, at 7:55 PM, David Farmer
> >> <>
> >> wrote:
> >>
> >> if experiments show it's useful I'd support it, but right now I'm
> >> skeptical how
> useful transiting this would be for us.
> >>
> >
- [Security-WG] New Well-Known BGP Community for Blackholing, David Farmer, 07/25/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Paul Howell, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Brad Fleming, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Christian Wheeler, 07/26/2016
- Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Michael H Lambert, 07/26/2016
- Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Jeff Bartig, 07/26/2016
- RE: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Michael Hare, 07/26/2016
- Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Jeff Bartig, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Brad Fleming, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Grover Browning, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Spears, Christopher M., 07/26/2016
- [Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing, Michael Hare, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Bill Jensen, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Spears, Christopher M., 07/26/2016
- <Possible follow-up(s)>
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, John Kristoff, 07/26/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, Paul Howell, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- Re: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Matthew J Zekauskas, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Spurling, Shannon, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- Re: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Matthew J Zekauskas, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, Paul Howell, 07/27/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Paul Howell, 07/26/2016
Archive powered by MHonArc 2.6.19.