On Tue, 7 Oct 2003, Suresh Ramasubramanian wrote:
Terry Baranski [10/7/2003 6:05 AM] :
Maybe this will have the positive effect of motivating Cisco to do more to encourage best practices such as edge anti-spoof filtering. To begin with, Barry Green's presentations on these issues are hidden away on his/Cisco's FTP server (ftp://ftp-eng.cisco.com/cons/) -- maybe it would be beneficial to put them (along with write-ups) in an easily-accessible and often-visited area of the main site where people will see them.
There is of course BCP 38 for starters - http://www.armware.dk/RFC/bcp/bcp38.html
You are making assumptions.. Cisco havent said if the source was spoofed or not, as a recent nanog thread indicated a lot of attacks do not use spoofed addresses any more simply because the controllers have access to enough legitimate windows boxes to not care about discovery of source. Even with all your BCPs in place if someone can get control of enough machines across enough networks collectively they can produce enough traffic to overwhelm absolutely any single system on the Internet. I am increasingly sharing the opinion that many of these high profile attacks are carried out by a small group.. spammers or whoever they are, the only way to tackle them is directly by hunting them down and prosecuting them. Assuming that there is a cash motivation somewhere (eg spam) this also means that there is a very high probability the attackers reside in a country where prosecution would be possible eg US/Europe Steve