TWC (AS11351) blocking all NTP?

Damian Menscher damian at google.com
Tue Feb 4 19:54:52 UTC 2014


On Tue, Feb 4, 2014 at 11:08 AM, Doug Barton <dougb at dougbarton.us> wrote:

> The answer is lawsuits. People who are damaged by DDOS need to file suit
> against the networks that allowed the spoofed packets. Once it becomes more
> expensive to allow the spoofing (due to both damages and legal bills) than
> it is to prevent it, people will work harder to prevent it.


+1 for this.  While lawsuits rarely improve a situation, I agree it's
probably the only way to shift costs back to the bad networks.  But then
the problem shifts to one of detection and tracing.

The bad networks can only be identified if the transit providers have
netflow.  When I ask transit providers to trace spoofed packets they either
don't respond or claim their netflow was temporarily broken.

It's not just transit providers, though -- many spoofed attacks come
through IXPs.  To help, the IXPs need to provide sflow that shows which
peers traffic is coming from.  I've seen some basic functionality at AMS-IX
for this, but unfortunately it's just rrd graphs, not full data.  Still,
they're better than most.  And then the IXPs need to have a policy
forbidding spoofed packets.

Damian


More information about the NANOG mailing list