RE: Blackholes and IXs and Completing the Attack.

• Previous message: Ben Butler: "RE: Blackholes and IXs and Completing the Attack."
• In reply to: Paul Vixie: "Re: Blackholes and IXs and Completing the Attack."
• Next in thread: Paul Ferguson: "RE: Blackholes and IXs and Completing the Attack."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 Hi,

"i explained why this is bad -- it lowers the attacker's costs in what
amounts to an economics war. they can get a web site taken down by its
own provider just by attacking it. they need fewer resources for their
attack once they know the provider's going to blackhole the victim."

I thought the cold war nuclear arms race had shown up to be truly MAD.
Who is paying for this ever escalating capacity of infrastructure as a
way to survive large DoS attacks.

Smaller attacks can be absorbed, but I really cant see a strategy of
endlessly upgrading network router and WAN infrastructure to ensure
enough head room ideal capacity is a particularly economically sensible
approach to the problem.

Ben

-----Original Message-----
From: [mailto:] On Behalf Of Paul Vixie
Sent: 02 February 2008 21:37
To: Ben Butler
Cc:
Subject: Re: Blackholes and IXs and Completing the Attack.

> I was not proposing he Null routing of the attack source in the other
> ISPs network but the destination in my network being Null routed as a
> destination from your network out.

i explained why this is bad -- it lowers the attacker's costs in what
amounts to an economics war. they can get a web site taken down by its
own provider just by attacking it. they need fewer resources for their
attack once they know the provider's going to blackhole the victim.

> This has no danger to the other network as it is my network that is
> going to be my IP space that is blackholed in your network, and the
> space blackholed is going to be an address that is being knocked of
> the air anyway under DoS and we are trying to minimise collateral
damage.

your collateral damage is of precious little interest to someone else's
backbone staff, unless they can route-filter the potential announcements
so that you are unable to also remotely blackhole addresses you don't
advertise. i explained this as an insurance/ISO9000 problem.

> I think you might have thought I was suggesting we blackhole sources
> in other peoples networks - this is definatly not what I was saying.

i explained why this would be a more sensible approach, but STILL
unworkable.

> So, given we all now understand each other - why is no one doing the
above?

now that we've rehashed what we both said, i think we're done here.

• Previous message: Ben Butler: "RE: Blackholes and IXs and Completing the Attack."
• In reply to: Paul Vixie: "Re: Blackholes and IXs and Completing the Attack."
• Next in thread: Paul Ferguson: "RE: Blackholes and IXs and Completing the Attack."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]