Re: DDOS Attack Mitigation

[abial () WEBGIRO COM (Andrzej Bialecki)]

On Sun, 13 Feb 2000, Darren Reed wrote:

> In some mail from Elias Levy, sie said:
> [...]
> > Network Ingress Filtering:
> > --------------------------
> >
> > All network access providers should implement network ingress filtering
> > to stop any of their downstream networks from injecting packets with
> > faked or "spoofed" addressed into the Internet.
> >
> > Although this does not stop an attack from occurring it does make it
> > much easier to track down the source of the attack and terminate it
> > quickly.
> >
> > For information on network ingress filtering read RFC 2267:
> > http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt
>
> You know if anyone was of a mind to find someone at fault over this,
> I'd start pointing the finger at ISP's who haven't been doing this
> due to "performance reasons".  They've had the ability to do it for
> years and in doing so would seriously reduce the number and possibility
> of "spoofing" attacks.

Well, I worked at such ISP. The issue was really simple: given the choice
between:

putting a Cisco 25xx for $x000 and hope that we can deal with the
problem when/if the customers start misbehaving, or

putting a Cisco 47xx for $x0000, and possibly never experience the
problem, but having spent awful lot of money

the decision to select the former had its firm economic ground, don't you
think?

Andrzej Bialecki

//  <abial () webgiro com> WebGiro AB, Sweden (http://www.webgiro.com)
// -------------------------------------------------------------------
// ------ FreeBSD: The Power to Serve. http://www.freebsd.org --------
// --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----