Is there consensus on what we should be doing? Actually, I'm looking for a bigger picture of what all UDP services should be doing. DNS is the other obvious example.
If you had asked me a year or two ago, I would have said "rate limiting" and thought that solved the problem. It does solve the reflection attack, but it opens things up to a different type of attack. A bad guy can deny service to Bob at selected servers by sending forged packets to those servers so they start rate limiting him. That doesn't take a lot of traffic so it won't stand out and most of the infrastructure won't even know there is a problem. (That does require that you can figure out what servers Bob is talking to.) Is there any good writeup on why BCP-38 is so hard to implement and/or why it isn't implemented more often? I assume it's money. Is the problem routers can't do it? (fast enough) Or maybe ISPs don't have their act together? -- These are my opinions. I hate spam. _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
