[nsp-sec] DDoS Chicken and Egg Problem

[Sean Donelan]

On Wed, 26 Mar 2008, Jason Gardiner wrote:
> At any rate, all of these would need to be implemented on the side doing
> the policing.  If we were to assume that nothing could be/would be done
> on the upstream, can you think of any ways to blackhole the target IP on
> upstream networks without having to call in manual intervention?

Manual on which side.  The upstream could implement a customer portal
application which the customer could use through other network path
e.g. using the wifi at the local starbucks, or on their iPhone web 
browser.  Authentication is left as an exercise for the reader.

The NMS folks can come up with some nasty XML for automation.

I suspect, other than internal company politics between groups, fixing
the BGP communication on the upstream provider's router is going to
be simplier than pushing it through all the customer care systems.


> To continue the other part of the thread, it would be a joy to see some
> kind of standard on how to manage control plane traffic.  I've seen some
> really good/clever ideas, but nothing that really seems to be the de
> facto method.

Fred Baker has been pushing this rock up hill in the IETF for several
years.  There are several drafts, and maybe even an RFC or two now.