CERT suggests (http://www.cert.org/incident_notes/IN-99-07.html)
Prevent installation of distributed attack tools on your systems Prevent origination of IP packets with spoofed source addresses Monitor your network for signatures of distributed attack tools
That sounds like good things to do. Others have pointed to RFC 2267 which is somewhat the same. However, it doesn't seem that we're doing all that well on actually following up those suggestions? As if that isn't enough, may I also draw your collective attention to draft-ietf-grip-isp-expectations-03.txt How are we collectively doing on following up on those points? During this discussion I've seen some claim that the recent attacks were not being carried out using spoofed source IP addresses. That may be so, but still is not a valid argument for not protecting the network from source address spoofing and the effects thereof.
Should we as network operators be taking a pro-active role to police our users for DDOS running boxen?
Sounds like a good idea. However, is it a sufficiently good idea so that a sufficient number of people actually find the time to do something about it?
It seems to me that educating end-users is the problem here, just as educating people to use 'no ip directed-broadcast' was back in 1997.
Well, according to the list on http://www.powertech.no/smurf/ we're not done on that front by a long shot: 114951 networks have been probed with the SAR 19589 of them are currently broken 14682 have been fixed after being listed here May I suggest that we all get off our collective butts and do something about these items? Even by going so far as to proactively probe our customer networks and/or extracting info from the list available from the above site? Or are we once again going to hear the knee-jerk and IMHO irresponsible reaction from some ISPs (no, I don't have any particular in mind -- you know who you are) that essentially says "more packets on our networks means more business for us"? Another common claim seems to be "this is none of our business". IMHO not a very responsible reaction that either... Best regards, - Håvard