Hi, do people use scrubbing services, when under DDoS attack, by having the scrubbing service announce the attacked IP prefix(es)?
If so, and you have a ROA for these prefixes, do you authorize the scrubbing AS (by issuing ROA or otherwise), and if so, do you do it in advance or only when you need the scrubbing service to announce your prefix?
To clarify: we have a possible method to allow such `emergency ROAs’ but I’m not convinced if we have a solution to a real problem - or if we just found a cute crypto solution and will end up writing it for a non-real problem. I prefer not to waste our time on presenting cute solutions to non-real problems
So thanks for your help! Use your judgement if to respond on list or off list.
Many thanks, Amir
It has been a few years, but I recall advertising my routes to the scrubbing center via a tunnel and just prepending to my other peers when in mitigation. This was pre-RPKI days, but my ASN was still originating the route. So, I would assume no change in ROA would be needed in that scenario. Are you allowing them to originate your routes or are they just another hop in your as-path?
Tom, thanks. I’m an academic researcher, no a network operator, sorry for the confusion, I should have been clearer.
The practice you described indeed shouldn’t requite ROA. I didn’t even consider it, probably since I’ve been working so much on prefix hijacks, and this prefix would result in increased vulnerability to prefix hijacks. But if there’s only a DDoS attack on the prefix and it’s not being hijacked at the same time, then I think this practice may be fine - which would make such `emergency ROA’ unnecessary.
So that’s very very useful feedback, thanks a lot!! Amir