Until such time as we succeed in preventing IP spoofing in the Internet, Distributed Denial of Service(DDOS) attacks are going to be a problem. Job Snijders, gave a presentation at RIPE 68 detailing some work he has been doing on implementing selective blackholing for operators under DDOS attacks.
His selective blackholing configuration and associated scripting is meant to be applied when under a sustained DDOS attack, not during general operation. It essentially gives operators who provide transit services to one or more customers the ability to selectively blackhole traffic based on geographical determinants.
The example given in the presentation is of a customer under sustained DDOS attack who is able to blackhole all traffic coming from more than 1,000km away. This can be effective when that customer knows the only people visiting their website are within their own geograhpic proximity.
The presentation video is available on the RIPE 68 website along with the associated slides. Job has also written a lengthy email explaining in more detail how to implement selective blackholing.
When you’re finished viewing the presentation check out our Securing BGP and Anti-spoofing pages for more information on securing the Internet’s routing protocol.