TWC (AS11351) blocking all NTP?

Doug Barton dougb at dougbarton.us
Tue Feb 4 19:08:09 UTC 2014


On 02/04/2014 08:04 AM, William Herrin wrote:
> On Sun, Feb 2, 2014 at 5:17 PM, Cb B <cb.list6 at gmail.com> wrote:
>> And, i agree bcp38 would help but that was published 14 years ago.
>
> Howdy,
>
> If just three of the transit-free networks rewrote their peering
> contracts such that there was a $10k per day penalty for sending
> packets with source addresses the peer should reasonably have known
> were forged, this problem would go away in a matter of weeks. Granted
> it would also be helpful to have a BGP extension signifying
> allowed-source-but-don't-route so that RP filtering would work even
> when multihomed. Still, even without automatic RP filtering we're
> capable of preventing spoofed packets if financially incentivized.
>
> Thing is, they can't be the source of the solution until they stop
> being part of the problem.

Won't work because no one will sign that contract.

The answer is lawsuits. People who are damaged by DDOS need to file suit 
against the networks that allowed the spoofed packets. Once it becomes 
more expensive to allow the spoofing (due to both damages and legal 
bills) than it is to prevent it, people will work harder to prevent it.

Doug




More information about the NANOG mailing list