TWC (AS11351) blocking all NTP?

• Previous message (by thread): BCP38 is hard, was TWC (AS11351) blocking all NTP?
• Next message (by thread): TWC (AS11351) blocking all NTP?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 4, 2014 at 11:08 AM, Doug Barton <dougb at dougbarton.us> wrote:

> The answer is lawsuits. People who are damaged by DDOS need to file suit
> against the networks that allowed the spoofed packets. Once it becomes more
> expensive to allow the spoofing (due to both damages and legal bills) than
> it is to prevent it, people will work harder to prevent it.


+1 for this.  While lawsuits rarely improve a situation, I agree it's
probably the only way to shift costs back to the bad networks.  But then
the problem shifts to one of detection and tracing.

The bad networks can only be identified if the transit providers have
netflow.  When I ask transit providers to trace spoofed packets they either
don't respond or claim their netflow was temporarily broken.

It's not just transit providers, though -- many spoofed attacks come
through IXPs.  To help, the IXPs need to provide sflow that shows which
peers traffic is coming from.  I've seen some basic functionality at AMS-IX
for this, but unfortunately it's just rrd graphs, not full data.  Still,
they're better than most.  And then the IXPs need to have a policy
forbidding spoofed packets.

Damian

• Previous message (by thread): BCP38 is hard, was TWC (AS11351) blocking all NTP?
• Next message (by thread): TWC (AS11351) blocking all NTP?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]