[70950] in North American Network Operators' Group
RE: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
daemon@ATHENA.MIT.EDU (Michel Py)
Wed Jun 2 12:27:20 2004
Date: Wed, 2 Jun 2004 09:26:27 -0700
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
To: "Patrick W.Gilmore" <patrick@ianai.net>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Woulda, shoulda. If it is so simple, how come not everyone does it?
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Patrick W.Gilmore
Sent: Wednesday, June 02, 2004 9:17 AM
To: nanog@merit.edu
Cc: Patrick W.Gilmore
Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now
Available With AT&T
On Jun 2, 2004, at 11:35 AM, Michel Py wrote:
>> Jon R. Kibler wrote:
>> IMHO, there is absolutely no excuse for not doing ingress and
>> egress filtering. In fact, if you are an ISP, I would argue
>> that you are negligent in your fiduciary responsibilities to
>> your customers and shareholders if you are not filtering
>> source IP addresses.
>
> Hey, I'm all for it. Where's the money and the staff?
The money is from your customers, and the staff is your staff. This=20
scales nicely as the number of customers you have, and therefore your=20
money and staff, is directly related to the effort you have to put into=20
the system.
The Internet is a collective. The whole thing does not work if=20
everyone does not help to keep the whole, well, whole.
If DDoS gets out of hand, if BGP churn is too high, if spam gets out of=20
hand, if, if, if.
Of course, if everyone filtered ISPs who did not validate the source=20
IPs of packets originating in their network the way some networks=20
filter spam sources, the problem would likely correct itself quickly. =20
The problem is figuring out which providers do not validate source=20
addresses since, by definition, the problem we are discussing are=20
spoofed source addresses.... =3D)
--=20
TTFN,
patrick
