Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
Michel Py
michel at arneill-py.sacramento.ca.us
Wed Jun 2 16:26:27 UTC 2004
Woulda, shoulda. If it is so simple, how come not everyone does it?
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Patrick W.Gilmore
Sent: Wednesday, June 02, 2004 9:17 AM
To: nanog at merit.edu
Cc: Patrick W.Gilmore
Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now
Available With AT&T
On Jun 2, 2004, at 11:35 AM, Michel Py wrote:
>> Jon R. Kibler wrote:
>> IMHO, there is absolutely no excuse for not doing ingress and
>> egress filtering. In fact, if you are an ISP, I would argue
>> that you are negligent in your fiduciary responsibilities to
>> your customers and shareholders if you are not filtering
>> source IP addresses.
>
> Hey, I'm all for it. Where's the money and the staff?
The money is from your customers, and the staff is your staff. This
scales nicely as the number of customers you have, and therefore your
money and staff, is directly related to the effort you have to put into
the system.
The Internet is a collective. The whole thing does not work if
everyone does not help to keep the whole, well, whole.
If DDoS gets out of hand, if BGP churn is too high, if spam gets out of
hand, if, if, if.
Of course, if everyone filtered ISPs who did not validate the source
IPs of packets originating in their network the way some networks
filter spam sources, the problem would likely correct itself quickly.
The problem is figuring out which providers do not validate source
addresses since, by definition, the problem we are discussing are
spoofed source addresses.... =)
--
TTFN,
patrick
More information about the NANOG
mailing list