Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Ken Diliberto
ken at kdmd.net
Mon Mar 8 05:43:12 UTC 2004
Sean Donelan wrote:
> On Sun, 7 Mar 2004, E.B. Dreger wrote:
>
>>SAV doesn't take long to implement. Considering the time spent
>>discounting spoofing when responding to incidents, I think there
>>would be a _net_ savings (no pun intended) in time spent
>>responding to incidents.
>
>
> You would be wrong. There are networks that have deployed SAV/uRPF.
>
> They saw no _net_ savings.
>
> In the real world, it costs more to deploy and maintain SAV/uRPF.
>
> Have you noticed this thread is full of people who don't run large
> networks saying other people who do run networks should deploy SAV/uRPF.
>
> But there hasn't been anyone who does run large networks saying they
> deployed SAV/uRPF and it saved them money, made their network run better
> or improved the world?
Where do you draw the line between large and not large? Does a
university with a /16 count as large? We do both SAV and a version of
uRPF. It makes our network run better, saves us money (reduces the
amount of time we spend on support and makes
troubled/distressed/evil/mean/nasty boxes easier to track down) and
reduces backbone congestion making the network run better. Another
benefit is it improves the world (betcha' were wondering if I'd squeeze
all that in).
We're now blocking all SMTP traffic leaving the campus from non-blessed
sources (read mail servers). The first day doing this we had comments
about less junk mail traffic. We block traffic we consider harmful that
shouldn't leave the campus. We're trying to do our part.
Any suggestions how we can do better?
Ken
More information about the NANOG
mailing list