Re: register.com down sev0?
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38. It is nothing less than irresponsible, IMO... Why _is_ that? - ferg -- "Patrick W. Gilmore" <patrick@ianai.net> wrote: [snip] There is no single "appropriately[sic] place" which can absorb 50Mpps. If you meant "appropriately placed" (as in topologically dispersed locations), a well crafted attack could still guarantee _at least_ a partial DoS from an end user PoV. It is essentially impossible to distinguish end-user requests from (im)properly created DoS packets (especially until BCP38 is widely adopted - i.e. probably never). Since there is no single place - no 13 places - which can withstand a well crafted DoS, you are guaranteed that some users will not be able to reach any of your listed authorities. This is not speculation, this is fact. All a good provider can do, even with 1000s of server, is minimize the impact of any DoS. [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Thu, 26 Oct 2006, Fergie wrote:
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38.
It is nothing less than irresponsible, IMO...
Why _is_ that?
Do you have any data concerning the actual consistent deployment of BCP38++ in different parts of the world?
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38.
oh? you have knowledge that this botnet attack used spoofed source addresses? randy
On Wed, 25 Oct 2006, Randy Bush wrote:
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38.
oh? you have knowledge that this botnet attack used spoofed source addresses?
what's curious, to me atleat, is that folks equate 'botnet' and 'spoofed source attacks' more often than I'd think is reasonable. I've not got 'hard numbers' but almost every time the attack is determined to be 'botnet' it's not spoofed. Odd... (not that I'm against bcp38, I just think the distraction in conversation from 'bcp38 is good' to 'we must stop bots' is not helpful)
what's curious, to me atleat, is that folks equate 'botnet' and 'spoofed source attacks' more often than I'd think is reasonable. I've not got 'hard numbers' but almost every time the attack is determined to be 'botnet' it's not spoofed.
Odd... (not that I'm against bcp38, I just think the distraction in conversation from 'bcp38 is good' to 'we must stop bots' is not helpful)
bingo! when you have religion about a hammer, everything looks like a nail. randy
On Thu, 26 Oct 2006, Chris L. Morrow wrote:
On Wed, 25 Oct 2006, Randy Bush wrote:
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38.
oh? you have knowledge that this botnet attack used spoofed source addresses?
what's curious, to me atleat, is that folks equate 'botnet' and 'spoofed source attacks' more often than I'd think is reasonable. I've not got 'hard numbers' but almost every time the attack is determined to be 'botnet' it's not spoofed.
Odd... (not that I'm against bcp38, I just think the distraction in conversation from 'bcp38 is good' to 'we must stop bots' is not helpful)
SAT time. Almost all spoofed attacks are run by botnets. Almost all attacks are run by botnets Almost all spoofed attacked are bigger by a large factor Almost all botnet attacks are spoofed attacks? Not quite. That's about it.
On Thu, 26 Oct 2006 05:11:14 -0000, Fergie said:
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38.
It is nothing less than irresponsible, IMO...
Why _is_ that?
The same people I mentioned the other day as not having enough clue to do DNS correctly don't have enough clue to do BCP38 correctly either. As one person mentioned, if stuff still requires pioneer-level skillsets to use, the pioneers have more work to do. The problem is that the following wave seems to be made up mostly of chimpanzees, and nobody's figured out how to make routers and network services that can be run by chimps... Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
Shouldnt 'ip verify unicast source reachable-by rx' be a default setting on all interfaces? Only to be removed by trained chimps? -Matt -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Matthew Crocker wrote:
Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
Shouldnt 'ip verify unicast source reachable-by rx' be a default setting on all interfaces? Only to be removed by trained chimps?
Only if you wish to break existing configurations during IOS upgrades. I could see ip verify unicast source reachable-by any (less breakage), but rx will kill all types of good asymmetric routing. The largest breakage I have seen caused by rx is the link IP breakage caused by the router responding out multiple interfaces. It's also a problem when customers are straddling the fence, purposefully using asymmetric routing. It would be nicer to have router support where a packet is acceptable if it's network is acceptable in the BGP (or IGP) policy/filter (ie, network may not be there, but it is allowed) as well as the link addresses associated with the BGP (or IGP) peer. -Jack
participants (8)
-
Chris L. Morrow
-
Fergie
-
Gadi Evron
-
Jack Bates
-
Matthew Crocker
-
Randy Bush
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu