North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BCP38 making it work, solving problems

  • From: Fred Baker
  • Date: Tue Oct 19 08:21:06 2004

At 01:11 PM 10/19/04 +0200, JP Velders wrote:
As it was "in the old days": first clean up your own act and then start pointing at others that they're doing "it" wrong.
hear hear... But Paul knows and in fact does that. He is pointing out the difficulty of getting people to do basic things that are for their own benefit.

For example, how many ISPs use TCP MD5 to limit the possibility of a BGP/TCP connection getting hijacked or disrupted by a ddos attack? But this has been in the code since ~1990, and was put there because of a fairly serious and specific attack that was made on Internet routing, and benefits primarily the ISP that enables the procedure in that it knows that its routes are coming to it from systems it has chosen to trust.

Ingress filters help the ISP that installs them, in that a certain class of attacks are prevented among customers of the ISP. Would it be better if all ISPs and all edge networks put appropriate filters in place? Absolutely. But even if they do not, the ISP saves itself that much trouble.

Where ingress filters don't help, of course, is when the attacks come from an apparently-legitimate address. Then we are off to other tools.