Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Such attacks are possible because ISPs do not want to adopt a protocol that would allow any host to send a special packet to block malicious traffic on the upstream provider or even at the source network. In this case networks like Cloudflare would become unnecessary.


If it becomes this easy to block traffic couldn't malicious applications really mess up a user by spamming out reject packets for common IP?


I think it would have to be something like "Block traffic from <offending IP> intended for <my IP>. <TTL>. <Cryptographic signature verifying that I control my IP>."


The intermediate routers can send back a confirmation code, and you must send a new reject packet with this code to confirm the ban.


That costs a lot of money to implement. They are in business of selling pipes, not pipe filters


The tier 1 & 2 ISPs I've worked with have a blackhole BGP community. https://www.rfc-editor.org/rfc/rfc7999.html


As I understand, "blackholing" is basically siding with criminals: attackers want the victim to get off the network, and by "blackholing" the network operator complies with their demand, which allows attackers to save resources. Everybody wins except for the victim.


Implementation dependent.

Normally for DDoS migitation, you blackhole on your normal ISP, and you simultaniously advertise on the mitigator. The mitigator scrubs the traffic and sends the clean stuff over a private session back to you.

If you just black hole and move on, yes that's a lose. However many ISPs will, because the quick reaction holds the most value for them.


ISPs could enshitty-sell it though.


Altruism is not profitable.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: