[68246] in North American Network Operators' Group
Re: Source address validation (was Re: UUNet Offer New Protection
daemon@ATHENA.MIT.EDU (Alex Bligh)
Sat Mar 6 20:27:42 2004
Date: Sun, 07 Mar 2004 01:27:07 +0000
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: Sean Donelan <sean@donelan.com>, Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu, Alex Bligh <alex@alex.org.uk>
In-Reply-To: <Pine.GSO.4.58.0403061813350.6429@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
--On 06 March 2004 18:39 -0500 Sean Donelan <sean@donelan.com> wrote:
> Source address validation (or Cisco's term uRPF) is perhaps more widely
> deployed than people realize. Its not 100%, but what's interesting is
> despite its use, it appears to have had very little impact on DDOS or
> lots of other bad things.
...
> But relatively few DDOS attacks use spoofed
> packets. If more did, they would be easier to deal with.
AIUI that's cause & effect: the gradual implementation of source-address
validation has made attacks dependent on spoofing less attractive to
perpetrators. Whereas the available of large pools of zombie machines
has made the use of source spoofing unnecessary. Cisco et al have shut
one door, but another one (some suggest labeled Microsoft) has opened.
Those with long memories might draw parallels with the evolution of
phreaking from abuse of the core, which became (reasonably) protected
to abuse of unprotected PABXen. As I think I said only a couple of days
ago, there is nothing new in the world.
Alex
