[GTER] BlackHole no IX.BR

Job Snijders job at ntt.net
Tue Jan 7 13:16:21 -03 2020 

Dear all,

The idea to use a route server to distribute requests for blackholing is
not new and has been tried in a few places (such as DE-CIX), but there
are some obstacles in operating such a mechanism securely.

A) How do you prevent people from requesting blackholes for IP space
that is not theirs? We know that normal BGP filtering already is a
challenge, so introducing a mechanism which can be easily abused is
tricky.

B) Another downside of the 'distribute blackholes via route server'
model is that it requires *EVERY* participant to implement custom
routing policy to honor the blackhole requests. I am not sure it is
reasonable to expect hundreds of participants to update their router
configurations for this purpose. And until everyone updated their
configurations, the blackhole mechanism will be ineffective (yet still
dangerous, see point A!).

So with the above in mind, I would like to suggest an alternative
approach:

ALTERNATIVE APPROACH: implement blackholing inside the IXP fabric
-----------------------------------------------------------------

A safer and more effective way of handling requests for blackholes is to
set up a special BGP speaker (let's call it the 'blackhole server'),
which translates received BGP route announcements into combined layer-2
+ layer-3 access-list filters which are automatically applied to
switch ports.

The idea of implementing blackholes inside IXP switching fabrics is not
new: https://mailman.nanog.org/pipermail/nanog/2014-October/070310.html
and has been implemented at United IX in practise: (see more 09:00
onwards: https://www.youtube.com/watch?v=1v_HUGpWOvA)

The big advantages are:

    1) 100% effective blackholes from day 1, no cooperation or
    configuration changes are required from any participant to honor
    these. Honoring the blackhole requests happens inside the IXP rather
    than inside the ISPs connected to the IXP.

    2) better scalability, because you don't end up with thousands of
    blackhole routes in hundreds of BGP routers, but rather have ACLs
    distributed just to the places where they need to exist.

    3) 100% safe. Participants who request a blackhole (either via the
    special BGP speaker, or via a web interface) can only affect their
    own ports or traffic flowing to their own MAC address. So if a
    participant requests to blackhole 1.1.1.1/32 or 8.8.8.8/32 ... the
    system would only blackhole traffic flowing towards the requester of
    the blackhole. People can only shoot themselves in the foot, but not
    distrupt other people's businesses.

I understand that the above solution requires more work from the IX.BR
organisation... but at the same time it significantly reduces the work
that would be required from ALL participants if a simple 'route server'
is used. The approach is also much safer from an EBGP routing security
point of view because the blackhole routes are not redistributed to
other EBGP peers, but are converted into something that only applies
inside the IXP switching fabric itself.

Kind regards,

Job

On Tue, Jan 07, 2020 at 02:38:36PM +0000, Willian Pires de Souza wrote:
> Visto os últimos eventos de ataque "extorsão" que alguns provedores
> vem sofrendo, gostaria de iniciar uma "thread" para que todos possam
> expor a nossa opinião sobre o IX.BR.
> 
> Poderia assim como AMS-IX o IX.BR disponibilizar um router-reflector
> para que os sistemas autônomos possam trocar prefixos de "blackhole"
> afim de auxiliar na mitigação de eventos que venham pelo próprio IX.BR
> (China Telecom,Hurricane).
> 
> Obviamente não anunciar por default os seus prefixos a esses
> participantes pode ser uma politica individual, mas algo mais refinado
> como um "blackhole" me parece mais "fino".
> 
> Dada a relevância do IX.BR no trafego geral nacional dos sistemas
> autônomos o IX.BR tem alguma estratégia para auxiliar os participantes
> no que tange DDOS.
> 
> Posso estar atrasado com relação a informações já posteriormente
> passadas, quem as tiver de "bate e pronto" poderia re-inserir nesse
> email ?
> 
> Feliz ano novo e forte abraço a todos.
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter

More information about the gter mailing list