WANTED: ISPs with DDoS defense solutions

• Previous message (by thread): WANTED: ISPs with DDoS defense solutions
• Next message (by thread): WANTED: ISPs with DDoS defense solutions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Mon, 4 Aug 2003 bdragon at gweep.net wrote:
> 
> >
> > > On Mon, Aug 04, 2003 at 05:28:07PM -0400, bdragon at gweep.net wrote:
> > > >
> > > > > I'm all for raising the bar on attackers and having end networks implement
> > > > > proper source filtering, but even with that 1000 nt machines pinging 2
> > > > > packet per second is still enough to destroy a T1 customer, and likely
> > > > > with 1500 byte packets a T3 customer as well. You can't stop this without
> > > > > addressing the host security problem...
> > > >
> > > > Do you believe backbone networks should do nothing?
> > >
> > > 	I'm not sure what you are saying here, backbones do do
> > > something, the problem is that it's easy to fill up a T1.  *really* easy.
> >
> > I was asking about Chris's use of "having end networks implement
> > proper source filtering" implying that backbones should not do so.
> 
> There are many cases in which the backbone can't determine the 'proper'
> traffic an edge is sending in. Not to mention the problems of filtering on
> an edge device with 100's or 1000's of interfaces. The proper and simple
> place for this filtering  is as close to the end device as possible.
> Backbones just aren't made to filter traffic, edge networks are.

Certain "Backbone Networks" _are_ the edge (dialup, single-homed customers,
web-hosting) and yet still don't do anything. loose RPF is available on
all but the most crippled gear from the major vendors, which I wouldn't want
to go advertising that I had nothing but crippled equipment.

Certain "Backbone Networks" require their customers to provide them
lists of networks, which could certainly be used with a contact leadtime
and customer notice for filling in Strict+Acl.

Also, you mentioned RFC1918 as it related to loose RPF. Vendor J does linerate
acls. Vendor C (with the compiled acls option) does as close to linerate
as that gear is ever likely to do.

The "my gear can't do these things" excuse is getting quite threadbare
at this point. It comes down to not wanting to do these things, and not
wanting to do these things just isn't acceptable.

As Paul stated, there are requirements one can make of peers and customers.
There are requirements one can make of vendors.

As some Shoe company has said, "Get out there and _do_ something"

• Previous message (by thread): WANTED: ISPs with DDoS defense solutions
• Next message (by thread): WANTED: ISPs with DDoS defense solutions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]