[c-nsp] Sinkhole Routing

Wojtek Zlobicki wojtek.zlobicki at gmail.com
Wed Sep 29 08:09:25 EDT 2004


This method, often called blackhole, allows for a filtering load to be
distributed.  Assuming a distributed DoS attack, when traffic is
entering your upstream providers network at multiple points, creating
a blackhole community allows for all traffic with a particular tag
(666 is popular) to be null routed.  Each and every BGP speaking
router at your provider will null route any traffic based on a given
community, this way , when attacking hosts are entering a network at
50 points, the load is distributed, no single router is asked to
filter megabits/gigabits of traffic.  Most providers allow their
customers to send a route update with a blackhole community allows for
traffic to one host to be null routed without having to call support.
Keep in mind that this is applied upstream and not really at your
router. Blackholes are a last resort, they are great for hosts that
are expendable (a downstream customers DSL connection) but useless
when the target is your primary mail/web server.  Most providers will
blackhole a host over applying ACLs (to save CPU resources).

E.G.

By whatever method, you know what host 1.6.6.6 is being attacked.  You
send a route update to your service provider (for 1.6.6.6/32 ) with
their blackhole community string.  Without any interaction of their
network teams, this route gets distributed throughout their network.
Note that this community is generally non transient, aka  it does not
get passed to any of your providers external BGP peers.  Depending on
from whom you purchase transit, and the strength of the attack, your
upstream may need to contact their upstreams to blackhole the traffic.


On Wed, 29 Sep 2004 17:18:33 +0530, Amol Sapkal <amolsapkal at gmail.com> wrote:
> Hi All,
> 
> A good fellow on this list suggested me 'Sinkhole Routing' as a
> solution to DoS attacks. I checked with google and it indeed seems
> promising.
> Anyone who has implemented it in their networks? I would be interested
> to do it too, as long as I dont end up investing in huge hardware.
> 
> --
> Warm Regds,
> 
> Amol Sapkal
> 
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind
> - Mahatma Gandhi
> --------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



-- 
----------------------------------------
wojtek.zlobicki at gmail.com


More information about the cisco-nsp mailing list