Why do ISPs still not do packet source verification in 2010?

William Pitcock nenolod at systeminplace.net
Mon Dec 20 14:41:31 UTC 2010


Hi,

I am wondering why it seems that many ISPs still do not do packet
source verification in 2010?  Just last night I had to deal with a DoS
attack that would have been impossible if more ISPs did packet source
verification.

I mean, it's 2010.  We can do IP-level ACLs in hardware on most of the
current routing platforms on the market.  I know it can be done on
Cisco, Brocade, etc.  Not sure on the new NX-OS stuff, but the 6500
series chassis can do IP-level ACL in hardware.

The ACLs aren't hard either, you set an ACL forbidding traffic from
anything other than an access-list containing their allocated IP
ranges...

Grumble.

(on the other hand, it's not like spoofing does any good anyway... if
you're willing to work the netflow data and call your upstreams to get
at their netflow data you can easily trace each bot in the botnet to
it's origination network which can then look at their traffic flow data
and shut it down...)

William




More information about the NANOG mailing list