[68243] in North American Network Operators' Group
Source address validation (was Re: UUNet Offer New Protection Against
daemon@ATHENA.MIT.EDU (Sean Donelan)
Sat Mar 6 18:39:55 2004
Date: Sat, 6 Mar 2004 18:39:21 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu
In-Reply-To: <g37jxxpoio.fsf@sa.vix.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 6 Mar 2004, Paul Vixie wrote:
> (and according to that text, it was a 9-year-old idea at that time.)
>
> it's now 2004. how much longer do we want to have this problem?
Source address validation (or Cisco's term uRPF) is perhaps more widely
deployed than people realize. Its not 100%, but what's interesting is
despite its use, it appears to have had very little impact on DDOS or
lots of other bad things.
Root and other DNS servers bear the brunt of misconfigured (not
necessarily malicious attack) devices. So some people's point of
view may be different. But relatively few DDOS attacks use spoofed
packets. If more did, they would be easier to deal with.
After all these years, perhaps its time to re-examine the assumptions.
