RE: Global Blackhole Service

Of course, whomever hosts such a service becomes an attractive DoS target themselves if it were ever to gain real traction in the field. There is also the "reverse-DoS" issue of an innocent party getting into the feed if anyone can peer with it.

- S

Skywing schrieb:

Of course, whomever hosts such a service becomes an attractive DoS target themselves if it were ever to gain real traction in the field. There is also the "reverse-DoS" issue of an innocent party getting into the feed if anyone can peer with it.

You are right, and that's also what I am currently thinking about. Well, one
solution might be, that all participants blackhole-routers IPs are also
announced with some special community and all participants drop all traffic
but bgp traffic from IPs listed with that community to the blackhole RR
destination(s) everywhere in there network.


- S

From: Nuno Vieira - nfsi telecom <>
Sent: Friday, February 13, 2009 07:13
To: Jens Ott - PlusServer AG <>
Cc: nanog <>
Subject: Re: Global Blackhole Service

Hi Jens,

I think we are in the same boat.

We suffered the same problem often, on a lower magnitude, but if a project like this exists those DDoS could even be almost near zero.

This is somewhat similar to what Spamcop, and other folks do with SPAM today, but applied on a diferent scope, say, BGP Blackhole.

This service can span wide after just peers, opening the opportunity to edge-to-edge DDoS mitigation.

Say, a network in .pt or .de is beign attacked at large, and dst operators inject the dst attacked source on the blackhole bgp feed... say that 100+ other ops around the world use a cenĂ¡rio like this... this might be very useful.
concers: the "autohority" or the "responsible" for maintaining this project, must assure that OP A or OP B can *only* annouce chunks that below to him, avoiding any case of hijack.

We would be interested in participating in something like this.


My questions to all of you:

- - What do you think about such service?

It will be great. We are available to help.

- - Would you/your ASN participate in such a service?


- - Do you see some kind of usefull feature in such a service?

Yes, a few thoughts above, some more might come up.

- - Do you have any comments?

For starters, a few above.

Nuno Vieira
nfsi telecom, lda.
Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301


in the last 24 hours we received two denial of service attacks with
like 6-8GBit volume. It did not harm us too much, but e.g. one of our
upstreams got his Amsix-Port exploded.

With our upstreams we have remote-blackhole sessions running where we
/32 prefixes to blackhole at their edge, but this does not work with
peers. Also our Decix-Port received something like 2Gbit extra-traffic
this DoS.

I can imagine, that for some peers, especially for the once having
only a thin
fiber (e.g. 1GBit) to Decix, it's not to funny having it flooded with
a DoS
and that they might be interested in dropping such traffic at their

Well I could discuss with my peers (at least the once who might get in
with such issue) to do some individual config for some
but most probably I'm not the only one receiving DoS and who would be
interested in such setup.

Therefore I had the following idea: Why not taking one of my old
routers and
set it up as blackhole-service. Then everyone who is interested could
set up a
session to there and

1.) announce /32 (/128) routes out of his prefixes to blackhole them
2.) receive all the /32 (/128) announcements from the other peers with
the IPs
they want to have blackholed and rollout the blackhole to their

My questions to all of you:

- What do you think about such service?
- Would you/your ASN participate in such a service?
- Do you see some kind of usefull feature in such a service?
- Do you have any comments?

Thank you for telling me your opinions and best regards

- --