[68253] in North American Network Operators' Group
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sat Mar 6 23:35:05 2004
From: Paul Vixie <paul@vix.com>
To: nanog@merit.edu
In-Reply-To: Message from Sean Donelan <sean@donelan.com>
of "Sat, 06 Mar 2004 22:04:58 EST."
<Pine.GSO.4.58.0403062114300.6699@clifden.donelan.com>
Date: Sun, 07 Mar 2004 04:34:37 +0000
Errors-To: owner-nanog-outgoing@merit.edu
> ...
> buying screen doors for igloos may not be the best use of resources. uRPF
> doesn't actually prevent any attacks.
actually, it would. universal uRPF would stop some attacks, and it would
remove a "plan B" option for some attack-flowcharts. i would *much* rather
play defense without facing this latent weapon available to the offense.
> Would you rather ISPs spend money to
> 1. Deploying S-BGP?
> 2. Deploying uRPF?
> 3. Respond to incident reports?
"yes."
and i can remember being sick and tired of competing (on price, no less)
against providers who couldn't/wouldn't do #2 or #3. i'm out of the isp
business at the moment, but the "race to the bottom" mentality is still
a pain in my hindquarters, both present and remembered.
