On 02/04/2014 08:04 AM, William Herrin wrote:
On Sun, Feb 2, 2014 at 5:17 PM, Cb B <cb.list6@gmail.com> wrote:
And, i agree bcp38 would help but that was published 14 years ago.
Howdy,
If just three of the transit-free networks rewrote their peering contracts such that there was a $10k per day penalty for sending packets with source addresses the peer should reasonably have known were forged, this problem would go away in a matter of weeks. Granted it would also be helpful to have a BGP extension signifying allowed-source-but-don't-route so that RP filtering would work even when multihomed. Still, even without automatic RP filtering we're capable of preventing spoofed packets if financially incentivized.
Thing is, they can't be the source of the solution until they stop being part of the problem.
Won't work because no one will sign that contract. The answer is lawsuits. People who are damaged by DDOS need to file suit against the networks that allowed the spoofed packets. Once it becomes more expensive to allow the spoofing (due to both damages and legal bills) than it is to prevent it, people will work harder to prevent it. Doug