[133927] in North American Network Operators' Group
Why do ISPs still not do packet source verification in 2010?
daemon@ATHENA.MIT.EDU (William Pitcock)
Mon Dec 20 09:41:36 2010
Date: Mon, 20 Dec 2010 08:41:31 -0600
From: William Pitcock <nenolod@systeminplace.net>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
I am wondering why it seems that many ISPs still do not do packet
source verification in 2010? Just last night I had to deal with a DoS
attack that would have been impossible if more ISPs did packet source
verification.
I mean, it's 2010. We can do IP-level ACLs in hardware on most of the
current routing platforms on the market. I know it can be done on
Cisco, Brocade, etc. Not sure on the new NX-OS stuff, but the 6500
series chassis can do IP-level ACL in hardware.
The ACLs aren't hard either, you set an ACL forbidding traffic from
anything other than an access-list containing their allocated IP
ranges...
Grumble.
(on the other hand, it's not like spoofing does any good anyway... if
you're willing to work the netflow data and call your upstreams to get
at their netflow data you can easily trace each bot in the botnet to
it's origination network which can then look at their traffic flow data
and shut it down...)
William
