RE: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
Woulda, shoulda. If it is so simple, how come not everyone does it? -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Patrick W.Gilmore Sent: Wednesday, June 02, 2004 9:17 AM To: nanog@merit.edu Cc: Patrick W.Gilmore Subject: Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T On Jun 2, 2004, at 11:35 AM, Michel Py wrote:
Jon R. Kibler wrote: IMHO, there is absolutely no excuse for not doing ingress and egress filtering. In fact, if you are an ISP, I would argue that you are negligent in your fiduciary responsibilities to your customers and shareholders if you are not filtering source IP addresses.
Hey, I'm all for it. Where's the money and the staff?
The money is from your customers, and the staff is your staff. This scales nicely as the number of customers you have, and therefore your money and staff, is directly related to the effort you have to put into the system. The Internet is a collective. The whole thing does not work if everyone does not help to keep the whole, well, whole. If DDoS gets out of hand, if BGP churn is too high, if spam gets out of hand, if, if, if. Of course, if everyone filtered ISPs who did not validate the source IPs of packets originating in their network the way some networks filter spam sources, the problem would likely correct itself quickly. The problem is figuring out which providers do not validate source addresses since, by definition, the problem we are discussing are spoofed source addresses.... =) -- TTFN, patrick
On Jun 2, 2004, at 12:26 PM, Michel Py wrote:
Woulda, shoulda. If it is so simple, how come not everyone does it?
Why don't people patch their windows boxes, or secure old sendmail installations? Why do people flap announcements, or accept bogons? Why do people jay walk, or cheat on their taxes? Why do people do anything else they should not do? 'Cause people are lazy and stupid. DUH. -- TTFN, patrick
On Wed, 2 Jun 2004, Patrick W.Gilmore wrote:
Why don't people patch their windows boxes, or secure old sendmail installations? Why do people flap announcements, or accept bogons?
Speaking of flapping, where's ARIN? Seems they've been flapping so bad this morning all our transit providers have dampened them out of existence. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Hmm - please try to patch windows box, having 19200bps dialin connection and living in a small town. It's almost impossible.. Q. is - why this !@#$ MS open ports for listening on _CLIENT_ machines (when no one asked them about it), and why they created the world of monocultural OS systems. This is the roots for this problem. Patching is just a _patching_. People are not lazy - it is just IMPOSSIBLE to patch millions of this systems. PS. Sendmail... who told _sendmail_?! Did you tried to patch sendmail, when it was installed from unknown sources and configured by unknown m4 file, and sources was lost when engineer was fired 2 years ago? You are welcome to try, I can find such system for you.
On Jun 2, 2004, at 12:26 PM, Michel Py wrote:
Woulda, shoulda. If it is so simple, how come not everyone does it?
Why don't people patch their windows boxes, or secure old sendmail installations? Why do people flap announcements, or accept bogons? Why do people jay walk, or cheat on their taxes? Why do people do anything else they should not do?
'Cause people are lazy and stupid. DUH.
-- TTFN, patrick
On Wed, 2 Jun 2004 09:26:27 -0700 "Michel Py" <michel@arneill-py.sacramento.ca.us> wrote:
Woulda, shoulda.
The original quote, from the song title, is "Coulda, Woulda, Shoulda" ^^^^^^ And that sums it up MUCH better ... -- Richard Cox
MP> Date: Wed, 2 Jun 2004 09:26:27 -0700 MP> From: Michel Py MP> Woulda, shoulda. If it is so simple, how come not everyone MP> does it? It's modern layered security: "We don't have to worry about that here. Another layer will take care of it." Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
participants (6)
-
Alexei Roudnev -
Edward B. Dreger -
Jon Lewis -
Michel Py -
Patrick W.Gilmore -
Richard Cox