peering requirements (Re: DDOS anecdotes)

Paul Vixie vixie at mfnx.net
Sat Jun 23 19:05:56 UTC 2001


> ... but I do not blame their IP stack for this like Mr Gibson does though.

Same here.

> ... From spoofed sources because ISPs do not source address filter?
> Gah. Basically untraceable.

This is the problem.

> What should we do?

Recommendation: upgrade your peering requirements to include language like:

	Each peer agrees to emit only IP packets with accurate
	source addresses, to require their customers to do likewise,
	and to extend this requirement to all other peers by $DATE.

Where DATE = (now() + '6 months') or some other negotiated value.

I've been saying this since 1993.  Is anybody ready to believe me yet?  We
solve this, or our industry stops growing because we're spending too much
time dealing with this problem and new customers see diminished returns.



More information about the NANOG mailing list