North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Source address validation (was Re: UUNet Offer New ProtectionAgainst DDoS)
- From: James Edwards
- Date: Sun Mar 07 14:40:52 2004
On Sun, 2004-03-07 at 11:08, fingers wrote:
> just a question
> why is DDoS the only issue mentioned wrt source address validation?
uRPF, strict mode, is how I control 1000+ DSL pvc's from leaking private
address space via broken NAT. Also, all other customer facing interfaces
run uRPF, strict mode. It is a very powerful tool; null route some
trouble causing customer space and traffic destined to this space is
dropped via this null route AND traffic sourced from this space is
dropped via uRPF, strict check. An AS112 NS also takes care of another
facet of this problem.
As to the question of DDoS'es and spoofed address space; once we close
the hole of allowing DDoS'es to come from untraceable address space I
feel we gain something very useful. We now know where the bad stuff is
coming from. The solution to DDoS is not a black box that will go to
Def Con 1 at the first sign of a port scan. You don't put out a fire
with more fuel. Criminal investigation techniques are quite advanced.
We cannot start to put them to use if attacks come from addresses that
do not point back to the attacker. I am just as jaded as the next person
with the present lack of law enforcement support in abuse issues but all
of this is a quite new form of crime through a new medium. A "push back"
system would give us the ability to quickly bring DDoS/DoS'es
under control and complement a system to track down, gather evidence,
and prosecute to persons in control of a DDoS/DoS.
Based on my limited experience with all of this it seems the place for
uRPF is not at the core (core in the context of the Internet backbone)
but at the customer edge, where the problem starts.
James H. Edwards
Routing and Security
At the Santa Fe Office: Internet at Cyber Mesa