Comment by codedokode
1 day ago
Why there is no protocol that would allow a network to request blocking traffic from a subnet or network? For example, AS X doesn't want any traffic from Y, and all operators between X and Y block traffic from Y to X.
To motivate lazy network operators, this protocol should be linked with financial conditions: an operator who doesn't honor the request, gets significantly reduced payment for this month's traffic.
I see weak people whining about attacks for like 10 years, and nobody changes anything. It's easier to blame evil hackers than fix their own broken poorly designed systems.
To give specific example, imagine a business which has 95% customers in developed country A, but receives 99% web requests from developing countries (DDoS attacks mainly come from there). It makes financial sense to cut off those countries first and after than figure out what happened.
The finances work the other way around: you can often pay your transit/upstream providers an additional fee for their DDOS protection/filtering service, where you can signal (via BGP or otherwise) that there's traffic you don't want to receive. BGP Flowspec (or similar) is one of the technologies used here.
The capabilities offered by the protocol you're envisioning already exist in the form of firewall rules and BGP peering agreements.
Most websites and networks would suffer more from blocking residential ISP traffic than they do from misuse of residential ISP traffic, though...
No. If you have majority of customers in country A, but the attack comes from country B, it is better to cut off B to keep the web services working.
BGP doesn't allow to stop attacks this way as I understand.
what if the attack comes from country A too? my understanding is they try to get botnets and residential proxies in large Western countries to avoid being filtered by IP range already.