Karl wrote:
However, if a forged-source data stream IS traced to one of your customers, expect a harsh response from the general network community. This attack is well-enough known by now that I consider anyone unable to immediately and permanently deal with such an incident to be somewhere beneath contempt.
Well, it is going to take more education and pain, apparently. I've got 3 national backbones upstream and they all have a hell of a time just getting icmp-echo-reply filters in within hours of attack onset, and usually get nowhere with tracing this to an end perp. Granted, its a difficult, cooperative problem. One of the better respected of them, told me that their philosophy was to deliver all packets to me regardless of the source/type. This corker, is the type of logic one can apparently come up with when ones routers at Pensaulken are near fall-over. This upstream did install the filter, after escalation, fortunately. Until Cisco, et al, improves routers to the point where there is low cost icmp rate-limiting (or some other better solution) we will have a problem where backbones have to choose between expensive filtering of ICMP-echo-replies for very long periods of time or allowing customer connections to be randomly swamped (rendered useless) for hours by bored 13 year olds, from virtually anywhere on the net. The latter is of, essentially, zero economic value to us, at least. The current cost of per link filtering is apparently causing the backbone networks major grief. It is the only current, practical solution, as far as I can see, and yet they will do it very reluctantly because of the cpu impact. The will to trace this attack seems to be declining also, from my observation, as the sucess rate continues to be very poor (less than 5 percent by one upstream account, I doubt my other upstreams are even this organized). We need to get router fixes in place urgently, or bite the bullet on increased costs all around for expensive filters for long periods in current routers, with consequently more routers required. Backbone security teams should be reinforced as they appear to be losing their spirit. This problem, is disrupting the service of every isp in our region on a frequent basis and it is getting worse week by week. A, sometimes seen, tendency to suggest that only a few ISP's with problem attracting users are affected by this does not recognize the breath or depth of the problem, nor where it is heading. Ken Leland Monmouth Internet