|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: WANTED: ISPs with DDoS defense solutions
Hi, NANOGers. ] leaving the spoofing option open for future generations of attacks, ] rather than having a witch-hunt and tracking down and upgrading every ] insecure edge, is just about the worst thing we could do. When I first looked at this problem back in March 2001, I did a study of one often attacked web site. The data showed that 66.85% of all the source addresses hitting the site were *obvious* bogons, e.g. RFC1918, unallocated prefixes, etc. That is 66.85% of all naughty packets that this site never should have received. What was the total percentage of spoofed source packets? That was anyone's guess. You can see this in a presentation I did entitled "60 Days of Basic Naughtiness": <http://www.cymru.com/Presentations/60Days.zip> Since then things have changed in many ways, but the mitigation of spoofing, be it bogon or otherwise, is an improvement. It takes another tool out of their toolbox. We win this battle by degrees. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
|