Why do ISPs still not do packet source verification in 2010?
Hi, I am wondering why it seems that many ISPs still do not do packet source verification in 2010? Just last night I had to deal with a DoS attack that would have been impossible if more ISPs did packet source verification. I mean, it's 2010. We can do IP-level ACLs in hardware on most of the current routing platforms on the market. I know it can be done on Cisco, Brocade, etc. Not sure on the new NX-OS stuff, but the 6500 series chassis can do IP-level ACL in hardware. The ACLs aren't hard either, you set an ACL forbidding traffic from anything other than an access-list containing their allocated IP ranges... Grumble. (on the other hand, it's not like spoofing does any good anyway... if you're willing to work the netflow data and call your upstreams to get at their netflow data you can easily trace each bot in the botnet to it's origination network which can then look at their traffic flow data and shut it down...) William
On 20/12/2010 14:41, William Pitcock wrote:
[...] but the 6500 series chassis can do IP-level ACL in hardware.
as regards urpf on the sup720 / rsp720: ipv4, yes; ipv6, no. BTW, it's worth asking this question when purchasing new equipment: "does the equipment support both loose and strict ipv6 urpf in hardware right now. if not, what is the timescale for implementation of each?". The results are currently not very good. Vendors: please note that support for ipv6 urpf (both strict and loose) is a basic networking requirement these days. Nick
participants (2)
-
Nick Hilliard -
William Pitcock