nanog mailing list archives
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Sun, 7 Mar 2004 20:35:54 +0000 (GMT)
On Sun, 7 Mar 2004, Laurence F. Sheldon, Jr. wrote:
fingers wrote:just a question why is DDoS the only issue mentioned wrt source address validation? i'm sure there's other reasons to make sure your customers can't send spoofed packets. they might not always be as news-worthy, but i feel it's a provider's duty to do this. it shouldn't be optional (talking specifically about urpf on customer interfaces, loose where needed)Because _Distributed_ is the hot buzzword of the day.
and people offten seperate 'ddos' from 'dos', even though the end is the same as far as your customer is concerned... it's kinda funny really :)
At least one of us thinks clean traffic is a Good Thing all the time. Packets that can't possibley be used for anything ought to be dumped at the earliest possible opportunity as soon as it is apparent (or could be if anybody looked) that they are "from" addresses that can't be reached or have any other obviously fatal defect.
Here is a sticky point... There are reasons to allow 10.x.x.x sources to transit a network. Mostly the reasons come back to 'broken' configurations or 'broken' hardware. The reasons still equate to customer calls and 'broken' networking fromm their perspective. I think the thing you are actually driving at is the 'intent' of the packet, which is quite tough for the router to determine. --Chris (formerly chris () uu net) ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## #######################################################
Current thread:
- Re: Source address validation (was Re: UUNet Offer New Protection, (continued)
- Re: Source address validation (was Re: UUNet Offer New Protection Paul Vixie (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Avleen Vig (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Sean Donelan (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Paul Vixie (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Dan Hollis (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Avleen Vig (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Avleen Vig (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) fingers (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Laurence F. Sheldon, Jr. (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) vijay gill (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Paul Vixie (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
- Re: Source address validation Paul Vixie (Mar 07)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) E.B. Dreger (Mar 07)
- Re: UUNet Offer New Protection Against DDoS Alex Bligh (Mar 06)
- Re: UUNet Offer New Protection Against DDoS Patrick W . Gilmore (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Alex Bligh (Mar 04)
- Re: UUNet Offer New Protection Against DDoS Avleen Vig (Mar 04)