undefined | Better HN

0 pointsfvv2y ago0 comments

because alternatives usually cost several thousands $/months..

what has the internet become?

Why not create blacklists (even on a timed basis) with the IPs to block at BGP level? and these blacklists managed by bodies,

- okay they are bodies..., but at least they can be open foundations to which it is not mandatory to join (as in the case of cloudflare)-

available to BGP backbones and routed on a network, castrate the blacklisted traffic?

maybe even at host level be able to make one IP available for normal traffic and possibly one for blacklist traffic using BGP routings to which the blacklist tables are applied?

0 comments

4 comments · 2 top-level

hoffs2y ago· 2 in thread

So if someone becomes part of the bonnet, they are denied all access to the internet

remram2y ago

Isn't that good though? Unblock them when they fix their host.

ElectricalUnion2y ago

(I am not a lawyer) I don't know how legal it actually is, how enforceable it is, and if the whole marker applies those, but my ISP contract has provisions that says I'm not authorized to invade or damage third parties using their internet service.

toast02y ago

That basically exists, look at BGP blackholes. Fairly well supported, and it works at what it does, but it can be too blunt of a tool, because it blackholes by destination, not by source.

Border routers are wired to make forwarding decisions based on destination addresses, and not source addresses, so options are limited. Even if you could blackhole by source/dest pair, the distributed nature of DDoS means thousands of sources, which means thousands of rules/routes, which isn't ideal. Some providers might have some capacity to do smarter filters, but it's limited and not very standardized.

If you're dealing with volumetric DDoS, the simple reality is you need big pipes if you want to accept the traffic. Otherwise, cycle IPs and hope legit traffic finds new IPs faster than abusers do. Run your backend communication over a separate network or at least totally separate IP space, so at least you're not losing management capability while under attack.

DDoS mitigation should be a complimentary business with CDN, becuase the traffic flows are opposite of usual, and CDNs generally connect with symetric connections, so what were they going to do with the inbound bandwidth anyway? But that doesn't mean all CDNs run that line of business.

j / k navigate · click thread line to collapse