Who does source address validation? (was Re: what's that smell?)

Tue Oct 8 20:06:12 UTC 2002

On Tue, 8 Oct 2002, John M. Brown wrote:

> Why is it hard to believe that a large amount of RFC-1918 sourced
> traffic is floating around the net?

Because if 20% of all people generate this crap (which is a huge number)
it must be 90% of their traffic to get at 18%. How can someone generate so
much useless traffic and keep doing it, too?

> Root name servers are just one "victim" of this trash.  DOS, DDOS and
> other just stupid configurations contribute to the pile.

So only allow proper source addresses, that's the first step towards
getting rid of DoS.

> Costs can be reduced in several areas:

> 1. Egress filtering, don't let RFC-1918 packets out of your network.

I'm not convinced this is (in general) a substantial amount of traffic.

> 2. Spoof filtering.
> 3. Better tools to mitigate DOS/DDOS attacks.  The technology exists
>    for say, cable providers to reduce port scans and DOS type attacks.

I would happily kick anyone doing anything that is conclusively abusive
off the net. But access providers aren't going to do this because it costs
them money. Being a good netizen doesn't do them any good. I'm reminded of
the two guys walking over the Serengeti, and they spot a lion. One guy
bends down to tie his shoe laces, and the other says: what are you doing,
you can't outrun a lion! The first guy says: I don't have to, as long as I
can outrun you. People aren't in any hurry to protect the common good,
they just want to keep one step ahead of those who get in trouble for not
doing enough.

> If 1 and 2 are done, this will reduce complaint calls from non-customers,
> which reduces man hour cycles.

Don't count on it. Some people start calling when they're pinged.