[169405] in North American Network Operators' Group
Re: Filter NTP traffic by packet size?
daemon@ATHENA.MIT.EDU (George William Herbert)
Sun Feb 23 13:37:02 2014
In-Reply-To: <FBEEA247-620B-48BA-89E5-933ACD6F2AB1@bromirski.net>
From: George William Herbert <george.herbert@gmail.com>
Date: Sun, 23 Feb 2014 10:36:42 -0800
To: Lukasz Bromirski <lukasz@bromirski.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 23, 2014, at 9:50 AM, Lukasz Bromirski <lukasz@bromirski.net> wrote:
> To do some additional checks would require extensive testing, platforms
> capable of doing this in predictable manner (stability, performance)
> and obviously - a lot more work than it costs today.
What are the costs and stability impacts of the DDOS that are running now?
Everyone is asserting it's someone else's problem. Which in a sense it is. =
But what goes around will come around.
If you are not BCP 38 you are sourcing problems.
If you are transiting or IXPing someone who isn't BCP 38 you are enabling pr=
oblems.
Is what we are doing now good enough? Probably not.
It would take fewer IXP and transit providers adding analysis capability to b=
acktrack than endpoints. So the enablers are more capable of effecting chan=
ge. They are less to blame in the first place, but not blameless.=20
To assert blamelessness is a form of Tragedy of the Commons. If it's crossi=
ng your link or switch, you ARE in the responsibility chain.
The last thing I would like to see is large orgs starting to retreat away fr=
om open interconnect because of DDOS coming in from less well managed parts o=
f the net.
Perhaps BCP 38 implementation will rise fast enough that these things will n=
ot become real, but we have been hearing that for 15 plus years now...
At some point, the "38 will work by itself!" line approaches "Look at the Em=
perors' fine new clothes!".
-george william herbert
george.herbert@gmail.com
Sent from Kangphone=
