nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TWC (AS11351) blocking all NTP?

From: Damian Menscher <damian () google com>
Date: Tue, 4 Feb 2014 11:54:52 -0800
On Tue, Feb 4, 2014 at 11:08 AM, Doug Barton <dougb () dougbarton us> wrote:


The answer is lawsuits. People who are damaged by DDOS need to file suit
against the networks that allowed the spoofed packets. Once it becomes more
expensive to allow the spoofing (due to both damages and legal bills) than
it is to prevent it, people will work harder to prevent it.



+1 for this.  While lawsuits rarely improve a situation, I agree it's
probably the only way to shift costs back to the bad networks.  But then
the problem shifts to one of detection and tracing.

The bad networks can only be identified if the transit providers have
netflow.  When I ask transit providers to trace spoofed packets they either
don't respond or claim their netflow was temporarily broken.

It's not just transit providers, though -- many spoofed attacks come
through IXPs.  To help, the IXPs need to provide sflow that shows which
peers traffic is coming from.  I've seen some basic functionality at AMS-IX
for this, but unfortunately it's just rrd graphs, not full data.  Still,
they're better than most.  And then the IXPs need to have a policy
forbidding spoofed packets.

Damian
Previous By Date Next
Previous By Thread Next

Current thread: