|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: UUNet Offer New Protection Against DDoS
On Fri, 5 Mar 2004, Steve Francis wrote: > Christopher L. Morrow wrote: > > > > > > >uRPF in the core seems like a bad plan, what with diverse routes and such. > >Loose-mode might help SOME, but really spoofing is such a low priority > >issue why make it a requirement? Customer triggered blackholing is a nice > >feature though. > > > > > > > Obviously loose-mode. > Spoofing may not be the current weapon of choice, but why not encourage > the best net infrastructure? > Loose mode will not save you very much, many larger backbones route lots of 'unused' or 'unallocated' ip space internally for various valid reasons, some even related to security issues for their customers. So, does stopping rfc-1918 (maybe) space help much? not really... atleast not that I can see. Many flooding tools now flood from legittimate space, so the ONLY way to limit this is by filtering as close to the device sourcing the packets as possible. Nebulous filtering and dropping of miniscule amounts of traffic in the core of a large network is just a waste of effort and false panacea. --Chris (formerly [email protected]) ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## #######################################################
|