On Sun, 2004-03-07 at 11:08, fingers wrote: > just a question > > why is DDoS the only issue mentioned wrt source address validation?
uRPF, strict mode, is how I control 1000+ DSL pvc's from leaking private address space via broken NAT. Also, all other customer facing interfaces run uRPF, strict mode. It is a very powerful tool; null route some trouble causing customer space and traffic destined to this space is dropped via this null route AND traffic sourced from this space is dropped via uRPF, strict check. An AS112 NS also takes care of another facet of this problem. As to the question of DDoS'es and spoofed address space; once we close the hole of allowing DDoS'es to come from untraceable address space I feel we gain something very useful. We now know where the bad stuff is coming from. The solution to DDoS is not a black box that will go to Def Con 1 at the first sign of a port scan. You don't put out a fire with more fuel. Criminal investigation techniques are quite advanced. We cannot start to put them to use if attacks come from addresses that do not point back to the attacker. I am just as jaded as the next person with the present lack of law enforcement support in abuse issues but all of this is a quite new form of crime through a new medium. A "push back" system would give us the ability to quickly bring DDoS/DoS'es under control and complement a system to track down, gather evidence, and prosecute to persons in control of a DDoS/DoS. Based on my limited experience with all of this it seems the place for uRPF is not at the core (core in the context of the Internet backbone) but at the customer edge, where the problem starts. -- James H. Edwards Routing and Security At the Santa Fe Office: Internet at Cyber Mesa [EMAIL PROTECTED] [EMAIL PROTECTED]
