Why won't providers source-filter attacks? Simple.

Mark Andrews marka at isc.org
Wed Feb 5 01:18:54 UTC 2014

In message <52F17931.40604 at alter3d.ca>, Peter Kristolaitis writes:
> On 2/4/2014 5:00 PM, Mark Andrews wrote:
> >> Nope: it's easy to explain; you merely have to be a cynical bastard:
> >>
> >> Attack traffic takes up bandwidth.
> >>
> >> Providers sell bandwidth.
> >>
> >> It *is in their commercial best interest (read: maximizing shareholder
> >> value) *NOT* to filter out DOS, DDOS, and spam traffic until their hand is
> >> forced -- it's actually their fiduciary duty not to.
> > Then the need to be made criminally liable for the damage that it causes.
> > Yes, the directors of these companies need to serve gaol time.
> That would never fly, because it would put the politicians at odds with 
> the telecom buddies that make huge political donations.   Hard to throw 
> someone in jail then hit them up for campaign money.  What will 
> probably happen is the same thing we do with everything else that might 
> be used for evil purposes but where we don't want to tackle the real 
> underlying problem -- just write a law banning something and hope the 
> problem goes away.

No, you write a law requiring something, e.g. BCP 38 filtering by
ISPs, and you audit it.  You also make the ISPs directors liable
for the impact that results from spoofed traffic from them.

Making it law puts all the ISP's in the country on a equal footing
with respect to implementation costs.

> Make it illegal to posses a device capable of bandwith greater than 
> 33.6Kbps without a special license, and BAM -- no more problems, 
> overnight.  For added political-style points, tack on a catchy moniker, 
> like "Immoral Bandwidth Prohibition", "The War on DDOS", or 
> "High-Capacity Digital Assault Bandwidth" to help sell it to the 
> public.  The public will be OK with their funny cat videos taking 19 
> hours to load if they know they're preventing bad guys from doing 
> something evil.

If you have millions of compromised customers it doesn't matter
what bandwidth limits they have.  You can still launch a amplifying
reflection DDoS from hosts behind 300 baud links.

> After all, it's worked flawlessly for alcohol, drugs and guns, so it 
> MUST work for networks... and it's much easier than those silly, 
> so-called "solutions" y'all are talking about!   :p

Regulation and audits works well enough for butchers, resturants
etc.  Remember once BCP 38 is implemented it is relatively easy to
continue.  The big step is getting it turned on in the first place
which requires having the right equipment.

Now if we could get equipement vendors to stop shipping models
without the necessary support it would help but that also may require
government intervention.

> - Pete
> (P.S.  Dear politicians:  in case you're reading this, the above was 
> satire and should not be construed as anything resembling a good idea.)
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the NANOG mailing list