On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote: [snip]
Taken to the logical extreme, the "right thing" to do is to deny any spoofed traffic from abusing these services altogether. NTP is not the only one; there is also SNMP, DNS, etc.
...and then we're back to "implement BCP38 already!" (like one of the authors of the document didn't think of that, ferg? ;-) NB: Some Entities believe all filtering is 'bcp 38' and thus have given this stone-dead logical and sane practice a bad rap. If someone is sloppy with their IRR-based filters or can't drive loose RPF correctly, that isn't the fault of BCP38. The document specifically speaks to aggregation points, most clearly in the introduction: "In other words, if an ISP is aggregating routing announcements for multiple downstream networks, strict traffic filtering should be used to prohibit traffic which claims to have originated from outside of these aggregated announcements." This goes for access, hosting, and most recently virtual hosting in teh cloude. Stop forgery at your edges and your life will be easier. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / CotSG / Usenix / NANOG