On 2/10/2010 12:30, Charles N Wyble wrote:
http://www.businessweek.com/news/2010-02-10/google-plans-to-build-high-s peed-fiber-optic-networks-update2-.html
http://googleblog.blogspot.com/2010/02/think-big-with-gig-our-experiment al.html
What do folks think?
Residential computers with enough bandwidth to DoS hosting providers; that should be fun. Maybe it will encourage the incumbant ISP's to start offering users meaningful bgp communities since they won't be able to keep up with the abuse reports. David
ROFL On 2/10/10 4:00 PM, David Hubbard wrote:
Residential computers with enough bandwidth to DoS hosting providers; that should be fun. Maybe it will encourage the incumbant ISP's to start offering users meaningful bgp communities since they won't be able to keep up with the abuse reports.
David
* David Hubbard:
Residential computers with enough bandwidth to DoS hosting providers; that should be fun.
How is this different from a typical dorm network? (Perhaps with all that P2P filtering software in place, it's a mere self-DoS nowadays, but the analogy was not that far off five years ago or so, with less bandwidth, of course.)
Residential computers with enough bandwidth to DoS hosting providers; that should be fun. Maybe it will encourage the incumbant ISP's to start offering users meaningful bgp communities since they won't be able to keep up with the abuse reports.
David
That's already here today. tv
Our typical gambling/casino customer has maybe 1 - 2 Mbps available to them. Pretty much anyone in the U.S. could DDoS them if they didn't have their HTTP/HTTPS traffic proxied and there are plenty more without any protection at all. Jeff On Wed, Feb 10, 2010 at 6:40 PM, Tony Varriale <tvarriale@comcast.net> wrote:
Residential computers with enough bandwidth to DoS hosting providers; that should be fun. Maybe it will encourage the incumbant ISP's to start offering users meaningful bgp communities since they won't be able to keep up with the abuse reports.
David
That's already here today.
tv
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Follow us on Twitter at http://twitter.com/ddosprotection to find out about news, promotions, and (gasp!) system outages which are updated in real time. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty."
On Wed, Feb 10, 2010 at 3:00 PM, David Hubbard <dhubbard@dino.hostasaurus.com> wrote:
Residential computers with enough bandwidth to DoS hosting providers; that should be fun. Maybe it will
Enough to DoS hosting providers based on _current_ practices. If 1g FTTH catches on, hosting providers will probably want 10/100 Gigabit transfer technology in a short time. For now.. with 1gigabit residential connections, BCP 38 OUGHT to be Google's answer. If Google handles that properly, they _should_ make it mandatory that all traffic from residential customers be filtered, in all cases, in order to only forward packets with their legitimately assigned or registry-issued publicly verifiable IP prefix(es) in the IP source field. Must be mandatory even for 'resellers', otherwise there's no point. And Google should provide _reasonable_ response to investigate manual abuse reports to well-publicized points of contact which go directly to a well-staffed dedicated abuse team, with authority and a clear and expeditious resolution process, as a bare minimum, and in addition to any and all automatic measures. P.S. reasonable abuse response is not defined as a 4-day delayed answer to a 'help, no contact addresses will answer me' post on nanog (long after automated processes finally kicked in).. Reasonable response to a continuous 1gigabit flood or 100 kilopacket flood should be less than 12 hours. If they think things through carefully (rather than copy+paste Google groups e-mail abuse management), it'll probably be alright -- -J
James Hess wrote:
For now.. with 1gigabit residential connections, BCP 38 OUGHT to be Google's answer. If Google handles that properly, they _should_ make it mandatory that all traffic from residential customers be filtered, in all cases, in order to only forward packets with their legitimately assigned or registry-issued publicly verifiable IP prefix(es) in the IP source field. Must be mandatory even for 'resellers', otherwise there's no point.
The amount of DOS that is spoofed today is by all reports significantly lower as percentage of overall DOS than it was in say 2000. BCP 38 is all fine and dandy, and you should implement it, but it's not going to stop the botnets.
And Google should provide _reasonable_ response to investigate manual abuse reports to well-publicized points of contact which go directly to a well-staffed dedicated abuse team, with authority and a clear and expeditious resolution process, as a bare minimum, and in addition to any and all automatic measures.
P.S. reasonable abuse response is not defined as a 4-day delayed answer to a 'help, no contact addresses will answer me' post on nanog (long after automated processes finally kicked in).. Reasonable response to a continuous 1gigabit flood or 100 kilopacket flood should be less than 12 hours.
If they think things through carefully (rather than copy+paste Google groups e-mail abuse management), it'll probably be alright
-- -J
On Feb 12, 2010, at 3:17 PM, Joel Jaeggli wrote:
BCP 38 is all fine and dandy, and you should implement it, but it's not going to stop the botnets.
Yup. Many have these devices they call "Routers" they buy locally that translate spoofed addresses to some well-known outside "public" IP. (They may well still emit "spoofed garbage" but typically for another reason). - Jared
James Hess wrote:
For now.. with 1gigabit residential connections, BCP 38 OUGHT to be Google's answer. If Google handles that properly, they _should_ make it mandatory that all traffic from residential customers be filtered, in all cases, in order to only forward packets with their legitimately assigned or registry-issued publicly verifiable IP prefix(es) in the IP source field. Must be mandatory even for 'resellers', otherwise there's no point.
The amount of DOS that is spoofed today is by all reports significantly lower as percentage of overall DOS than it was in say 2000.
BCP 38 is all fine and dandy, and you should implement it, but it's not going to stop the botnets.
After re-reading the original post Google will be providing BOTH a) generic L2 transport for resellers to use in reaching users/subscribers b) their own L3 product Enforcing 'resellers' to do BCP38 on their L2 product reads synonymous to "boondogle." Further, who cares? This isn't where the "bad stuff" is given the context of a multi-access L2 network.
P.S. reasonable abuse response is not defined as a 4-day delayed answer to a 'help, no contact addresses will answer me' post on nanog (long after automated processes finally kicked in).. Reasonable response to a continuous 1gigabit flood or 100 kilopacket flood should be less than 12 hours.
NOC's that give a crap are good, but we have other tools at our disposal. I find that customers tend to 'take note' they've screwed-up something badly when their port goes ERRDISABLE and looses link for a few minutes. I understand that NANOG typically doesn't concern itself with edge-access techniques, but there are easy ways to mitigate allot of what a NOC might have to handle. Perhaps it's worth forking this thread to discuss? Done well, this should end up somewhere near 'uninportant' or a 'non-issue.' -Tk
David Hubbard wrote:
Residential computers with enough bandwidth to DoS hosting providers; that should be fun. Maybe it will encourage the incumbant ISP's to start offering users meaningful bgp communities since they won't be able to keep up with the abuse reports.
Residential customers already have enough bandwidth to DOS hosting providers.
David
participants (9)
-
Anton Kapela -
David Hubbard -
Florian Weimer -
James Hess -
James Jones -
Jared Mauch -
Jeffrey Lyon -
Joel Jaeggli -
Tony Varriale