North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Who does source address validation? (was Re: what's that smell?)

  • From: John M. Brown
  • Date: Tue Oct 08 15:31:48 2002

Why is it hard to believe that a large amount of RFC-1918 sourced
traffic is floating around the net?

Root name servers are just one "victim" of this trash.  DOS, DDOS and
other just stupid configurations contribute to the pile.

My data is from various core servers, and various clients of ours
We look at the ingres traffic and see these kinds of numbers.

In the day of the InternetBoom (growth period)  people wanted to see
traffic and capacity used up.  It helped fuel the need for more fiber
growth, and thus spending.

Now that we are in more "realistic" times, providers need to save money
and reduce costs.

Costs can be reduced in several areas:

1. Egress filtering, don't let RFC-1918 packets out of your network.
2. Spoof filtering.
3. Better tools to mitigate DOS/DDOS attacks.  The technology exists
   for say, cable providers to reduce port scans and DOS type attacks.


If 1 and 2 are done, this will reduce complaint calls from non-customers,
which reduces man hour cycles.

john brown


On Tue, Oct 08, 2002 at 09:17:46PM +0200, Iljitsch van Beijnum wrote:
> 
> On Tue, 8 Oct 2002, John M. Brown wrote:
> 
> > It seems to reason that if people started filtering RFC-1918 on
> > their edge, we would see a noticable amount of traffic go away.
> 
> > Simulation models I've been running show that an average of 12 to 18 percent
> > of a providers traffic would disappear if they filtered RFC-1918 sourced
> > packets.
> 
> That is hard very to believe, unless you are referring to the load on the
> root nameservers. Since they obviously don't receive a reply, these
> resolvers will keep coming back.
> 
> > In addition to the bandwidth savings, there is also a support cost
> > reduction and together, I believe backbone providers can see this
> > on the bottom line of their balance sheets.
> 
> > We have to start someplace.  There is no magic answer for all cases.
> 
> > RFC-1918 is easy to admin, and easy to deploy, in relative terms compared
> > to uRPF or similar methods.
> 
> uRPF is easier: one configuration command per interface. A filter for RFC
> 1918 space is also one configuration command per interface, and some
> command to create the filter.
> 
> > For large and small alike it can be a positive marketing tool, if properly
> > implemented.
> 
> Sure. "We can't be bothered to do proper filtering, but since filter
> 0.39% of what we should, we are cool."
>