On Tue, Feb 4, 2014 at 11:08 AM, Doug Barton <dougb@dougbarton.us> wrote:
The answer is lawsuits. People who are damaged by DDOS need to file suit against the networks that allowed the spoofed packets. Once it becomes more expensive to allow the spoofing (due to both damages and legal bills) than it is to prevent it, people will work harder to prevent it.
+1 for this. While lawsuits rarely improve a situation, I agree it's probably the only way to shift costs back to the bad networks. But then the problem shifts to one of detection and tracing. The bad networks can only be identified if the transit providers have netflow. When I ask transit providers to trace spoofed packets they either don't respond or claim their netflow was temporarily broken. It's not just transit providers, though -- many spoofed attacks come through IXPs. To help, the IXPs need to provide sflow that shows which peers traffic is coming from. I've seen some basic functionality at AMS-IX for this, but unfortunately it's just rrd graphs, not full data. Still, they're better than most. And then the IXPs need to have a policy forbidding spoofed packets. Damian