I'd promised myself that I wouldn't post this until I'd had the time to fully form the idea, but as I find myself constantly overworked and overtired, I might as well post what I have to date and perhaps amend and append further on down the road.
Background noise on the Internet is a growing problem. Bad code with hard-coded IP addresses, forgotten cronjobs, vacated IP ranges, vanished enterprises and so forth have decreased the signal to noise ratio of the IP traffic on the Internet (think what you might about the ratio of the content). Further, DDoS attacks, SPAM, worms and viruses are with us every step of the way. The packet containing this sentence might be in the buffer right behind a packet containing Welchia. Who could know? Adding to this problem are the hastily implemented filters placed on routers and firewalls all over the Internet, blocking traffic from an assortment of IP ranges for infractions committed by the user of that IP space at a certain point in time. If enough of these forgotten filters exist for an IP range, this renders entire range simply unusable.
The best example I have come up with for what I'm thinking is BGP. While BGP may be undergoing a renaissance of sorts at the moment, it forms the basic structure of the distributed firewall.
Currently, you must be a somewhat-trusted entity with significant connectivity to be assigned an ASN. DBP (Distributed Blackhole Protocol) would function similarly, with neighbors authenticated via private keys or similar. Due to the nature of the protocol, participation in DBP would be subject to intense peer review and perhaps even be initially limited to Tier 1 providers.
The main thrust of DBP is the concept that a trusted source can determine the source, or closest DBP peering point, of an unattractive datastream. This datastream might be a zombie engaged in a smurf attack, and open relay, or a worm-infested host. The trusted source could then issue a DBP-drop request to the closest DBP peer to the origination point of the unattractive stream, which would then populate a dynamic ACL to blackhole specific traffic from that origin destined for the requesting source.
The DBP filtering agent need not be a router; the agents could be transparent, fail-open in-line devices on ethernet segments connecting peering points or edge routers. They could be driven by a central server that receives and acts upon inbound requests from DBP sources. This would permit the centralization of administration, and allow for cheaper agents to be deployed throughout a network. The communications between the DBP server and agents should be source-address filtered and SSL encrypted at the least, with private key authentication. With this method, agent configuration should be minimal and deployment relatively simple. This will be an important factor for adoption.
Here's a very simple illustration:
A configurable request threshold for automated filter invocation can be made on a global and subnet basis.(e.g. more than n identical requests within x minutes from unique DBP sources triggers automatic filtering)
I've looked around the net for a similar concept, but haven't seen anything quite like this. I can easily envision a reference implementation using iptables and perl on Linux. I hope to have the time to stitch this together at some point, but if there's anyone willing to have a go at it, or has any comments at all, let me know.