North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)

  • From: Paul Vixie
  • Date: Sat Mar 06 23:36:52 2004

> ...
> buying screen doors for igloos may not be the best use of resources.  uRPF
> doesn't actually prevent any attacks.

actually, it would.  universal uRPF would stop some attacks, and it would
remove a "plan B" option for some attack-flowcharts.  i would *much* rather
play defense without facing this latent weapon available to the offense.

> Would you rather ISPs spend money to
> 	1. Deploying S-BGP?
> 	2. Deploying uRPF?
> 	3. Respond to incident reports?

"yes."

and i can remember being sick and tired of competing (on price, no less)
against providers who couldn't/wouldn't do #2 or #3.  i'm out of the isp
business at the moment, but the "race to the bottom" mentality is still
a pain in my hindquarters, both present and remembered.