Why won't providers source-filter attacks? Simple.
Saku Ytti
saku at ytti.fi
Wed Feb 5 08:46:57 UTC 2014
On (2014-02-04 23:01 -0500), Valdis.Kletnieks at vt.edu wrote:
> > Regulation and audits works well enough for butchers, resturants
> > etc. Remember once BCP 38 is implemented it is relatively easy to
> > continue. The big step is getting it turned on in the first place
> > which requires having the right equipment.
> >
> > Now if we could get equipement vendors to stop shipping models
> > without the necessary support it would help but that also may require
> > government intervention.
>
> Time to name-and-shame. It's 2014. Who's still shipping gear that
> can't manage eyeball-facing BCP38?
If we keep thinking this problem as last-mile port problem, it won't be solved
in next 20 years. Because lot of those ports really can't do RPF and even if
they can do it, they are on autopilot and next change is market forced
fork-lift change. Company may not even employ technical personnel, only buy
consulting when making changes.
If we focus on transit borders, we can make spoofed DoS completely impractical
very rapidly, as spoofing is then restricted inside domain, and if target
isn't in same domain, you can't benefit from it. And as attacks are from
distributed botnets, you'll simply generate more attack traffic by not
spooffing, as you're not restricted inside spooffing domain.
However transit border doing ACL is something that seems to very
controversial, there is no universal consensus that it even should be done and
quite few seem to do it. I feel we need to change this, and make community at
large agree it is the BCP and solve the challenges presented.
--
++ytti
More information about the NANOG
mailing list