|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
Hi Vadim! You are absolutely correct in your 'red flag' that source route filtering does not solve 'all the worlds ip-spoofing security problems', and a great deal of work needs to be done. On the other hand, if all end-user providers at least filter to help guarantee that only valid customer source addresses come from their sphere of influence, these type of denial-of-service attacks would be easier to trace, track, and plug, when necessary. You know how these types of issues are mitigated; one-step-at-a-time. The source route filtering from end-user providers needs to happen, just as ISPs used to demand new providers BGP 'in the old days'. It is not too difficult for higher tier providers to 'sniff and audit' to discover the 'non-compliant' providers, or to set up a mechanism to verify this automatically. One step at a time. Certainly, it is in the best interest of the performance of the Big I to have the filter lists as far down the routing tier as possible and to keep the higher level transit nets as 'filter clean as possible' (filtering 101) This sounds like a gloomly and extremely difficult task; and the reality is, that there is no 100 percent solution, but maybe .95 is achieveable in the short term? .98? Large transit carriers must 'say no' to mid-level providers that refuse to aggressively insure that filtering their customers take place, and this, in itself, is a very difficult to enforce task. Best Regards, Tim PS: Vadim! ......... The East coast is not the same without seeing you in the bookstores and computer stores from time to time. - - - - - - - - - - - - - - - - -
|