Re: Fair Queuing combats DDoS? [was Re: Yahoo! Lessons Learned ]
alex@genesyslab.com said:
No, the key issue is _frauded src addresses_. All others can be remedied easily.
In my opinion the issue is allowing the clueful to scalably protect their networks against those of the clueless or fallible who do not and will not deploy RPF nor secure their servers any time near now. In the mean time, those who want to survive in the market place better put their clue to use and work out how to protect their networks without relying on the actions of others. This is roughly equivalent to saying "lock your door" when you leave your house, rather than complaining that "the *real* problem is actually thieves, and this is what we need to fix". In the words of Mr Bush, I want something for clueful people to be able to type after "conf t". Asking people who probably aren't on this mailing list and almost certainly don't understand the problem to fix *their* network does not cut the mustard. -- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)
I want something for clueful people to be able to type after "conf t". Asking people who probably aren't on this mailing list and almost certainly don't understand the problem to fix *their* network does not cut the mustard.
e.g. the problem with the ddos attacks is that the pain is far removed from the enabling causes, thus severely weakening prophylactic motivations. two trends may help. as the pain is more universally felt, the motivation may spread. and i suspect that the inclination to peer with non-motivated isps may change. randy
On Thu, 10 Feb 2000, Randy Bush wrote:
I want something for clueful people to be able to type after "conf t". Asking people who probably aren't on this mailing list and almost certainly don't understand the problem to fix *their* network does not cut the mustard.
e.g. the problem with the ddos attacks is that the pain is far removed from the enabling causes, thus severely weakening prophylactic motivations. two trends may help. as the pain is more universally felt, the motivation may spread. and i suspect that the inclination to peer with non-motivated isps may change.
randy
At minumum, a hurt can be put on networks that are irresponsible/innane by effectively blackholeing them. neighbor db.bad-networks.blah.someone.com remote-as blah-blah neighbor db.bad-networks.blah.someone.com description DB of bad networks neighbor db.bad-networks.blah.someone.com route-map blackhole in neighbor db.bad-networks.blah.someone.com filter-list 2 out ! route-map blackhole permit 10 set ip next-hop 127.0.0.1 ! Suddenlt being blackholed from those of use who don't wish to deal with operators who won't/can't secure their network might actually get their attention. Much the same as denying the entire APNIC allocation in .htaccess substantially reduces CC fraud on e-commerce sites. I know. It's akin to killing a fly with a sledge-hammer but sometimes it's worth it. -------------------------------------------- |Signature line included for Jay R Ashworth| -------------------------------------------- John Fraizer EnterZone, Inc
participants (3)
-
Alex Bligh
-
NANOG Mailing List
-
Randy Bush