Home page logo

nanog logo nanog mailing list archives

Re: Tier1 blackholing policy?
From: Jon Lewis <jlewis () lewis org>
Date: Tue, 30 Apr 2013 11:16:22 -0400 (EDT)

On Tue, 30 Apr 2013, Thomas Schmid wrote:

I know Tier1s are blackholing traffic all the time :) (de-peering, congestion etc.) but did it became a new role for Tier1s to go from transit provider to transit blocker?

We received recently customer complaints stating they can't reach certain websites. Investigation showed that the sites were not reachable via Tier1-T, but fine via Tier1-L. I contacted Tier1-T and the answer was something like "yeah, this is a known phishing site and to protect our customers we blackhole that IP" (btw - it was 2 ASes away from Tier1-T).

Huh? If I want to block something there, it should me my decision or that of my country's legal entities by court order and not being decided by some Tier1's intransparent security department. (Not even mentioning words like 'CGN', 'legal', 'net neutrality' or 'censorship') This might be an acceptable policy for a cable provider but not for a Tier1.

Haven't seen something like this in many years. Did I miss a pardigm-shift here and has this become a common "service" at Tier1s?

I vaguely recall having the same sort of problem many years ago with Above.net transit. IIRC, the sentiment back then was similarly that this was inappropriate behavior for a Tier1/2 transit provider. If you're going to propagate the routes, deliver the traffic. I suppose an argument could be made though that if there's phishing or malicious traffic targeting your customers from a single IP, it could be appropriate to blackhole the IP rather than reject the advertisement for an entire CIDR.

 Jon Lewis, MCP :)           |  I route
                             |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]