> However, this is unwarranted. The problem is not NTP, the problem is > the lack of source address filtering.
I would say that even that is only a symptom, that the problem is that people have been granted authority over resources without having concomitant responsibility for their use imposed. Lack of egress filtering by leaf providers is just one symptom of this. (Only leaf providers can really do this; once your customers are large enough to multihome, the administrative burden of egress filtering goes _way_ up.) > I propose that the existance of an ISP without source address > filtering is handled by a reputation system similar to what was > brought in place to bring down open SMTP relays, [...] Unfortunately it is more difficult because the offender is much harder for the victim to identify. Suppose, for example, that I get a packet with ip_src forged to 74.125.226.115. How can I IDP that sender, even just for me? I can't. I can't even tell the difference between two senders in different places forging such traffic to me. I have to get my upstream to push it to _their_ upstream, etc, until reaching an offender. But with open SMTP relays, I can reject the traffic without needing help from my upstream. > Just disconnect every provider that refuses to set up source address > filtering until they give in. No source address filtering? No > traffic from you. Period. If providers were willing to cut off paying abusers, we wouldn't be in this mess. Since we are, they aren't, and this is a pipe dream. Yes, this is depressing. It is one of the reasons I am growing to loathe today's net. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
