[60056] in North American Network Operators' Group
Re: WANTED: ISPs with DDoS defense solutions
daemon@ATHENA.MIT.EDU (Henry Linneweh)
Wed Jul 30 21:52:04 2003
Date: Wed, 30 Jul 2003 18:51:29 -0700 (PDT)
From: Henry Linneweh <hrlinneweh@sbcglobal.net>
To: Paul Vixie <vixie@vix.com>, nanog@merit.edu
In-Reply-To: <g3el07fprg.fsf@sa.vix.com>
Errors-To: owner-nanog-outgoing@merit.edu
--0-1508707947-1059616289=:23807
Content-Type: text/plain; charset=us-ascii
I agree with Pauls' position on anti-spoofing, without that, you are fighting A
losing battle.
Henry R Linneweh
Paul Vixie <vixie@vix.com> wrote:
> Filtering the bogons does help, and everyone should perform anti-spoofing
> in the appropriate places. It isn't, however, a silver bullet.
it's necessary but not sufficient. but if we knew the source addresses were
authentic, then some pressure on the RIRs to make address block holders
reachable would yield entirely new echelons of accountability.
with the current anonymity of ddos sources, it's not possible to file a class
action lawsuit against suppliers of the equipment, or software, or services
which make highly damaging ddos's a fact of life for millions of potential
class members.
so please focus on "anti-spoofing"'s *necessity* and not on the fact that by
itself it won't be sufficient. "anti-spoofing" will enable solutions which
are completely beyond consideration at this time.
(we'll know the tide has turned when BCP38 certifications for ISPs are
available from the equivilent of "big 8" ("big 2" now?) accounting firms,
and these certifications will be prerequisite to getting BGP set up.)
--
Paul Vixie
--0-1508707947-1059616289=:23807
Content-Type: text/html; charset=us-ascii
<DIV>I agree with Pauls' position on anti-spoofing, without that, you are fighting A</DIV>
<DIV>losing battle.</DIV>
<DIV> </DIV>
<DIV>Henry R Linneweh<BR><BR><B><I>Paul Vixie <vixie@vix.com></I></B> wrote:</DIV>
<DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid; WIDTH: 100%"><BR>> Filtering the bogons does help, and everyone should perform anti-spoofing<BR>> in the appropriate places. It isn't, however, a silver bullet.<BR><BR>it's necessary but not sufficient. but if we knew the source addresses were<BR>authentic, then some pressure on the RIRs to make address block holders<BR>reachable would yield entirely new echelons of accountability.<BR><BR>with the current anonymity of ddos sources, it's not possible to file a class<BR>action lawsuit against suppliers of the equipment, or software, or services<BR>which make highly damaging ddos's a fact of life for millions of potential<BR>class members.<BR><BR>so please focus on "anti-spoofing"'s *necessity* and not on the fact that by<BR>itself it won't be sufficient. "anti-spoofing" will enable solutions which<BR>are completely beyond consideration at this time.<BR><BR>(we'll know the tide has turned when
BCP38 certifications for ISPs are<BR>available from the equivilent of "big 8" ("big 2" now?) accounting firms,<BR>and these certifications will be prerequisite to getting BGP set up.)<BR>-- <BR>Paul Vixie</BLOCKQUOTE></DIV>
--0-1508707947-1059616289=:23807--
