I am surprised and disappointed at the somewhat unhelpful discussion about BCP38.
Can BCP38 be an effective defence against the DDoS attacks? Yes, of course. Will it be? No, at least not always. And almost certainly not in our lifetimes. It is hard for any reasonable (ie multi-homed) network to implement BCP38 unless they do so from the outset. It's also an expense/overhead which doesn't benefit the network operator but benefits everyone else. So the economic incentives simply are not there for ISPs to deploy this: why incur those costs so that your competitors benefit? This is why BCP38 has not been uniformly adopted since it was published ~15 years ago. That situation isn't going to change until the Internet Police come along and *make* everyone use it. In other words, it's never going to happen. Get over it. Clearly BCP38 has a role in defeating these attacks. But it's not the only tool. IMO it would be better for the people here to discuss other defences: response rate limiting, traffic shaping, kernel filters, improvements to ntpd, share operational experiences, etc. Encouraging wider uptake of BCP38 is of course a very good thing. But please be realistic about what can be achieved and when. Assuming this is the magic bullet which will fix this problem forever is at best naive. It may even focus efforts away from other areas where achievable improvements could be made. Please note too that critical DNS servers have been subjected to similar attacks for a couple of years now and this has had very little impact on the uptake of BCP38. If the operators of root and TLD name servers have been unable to ratchet up the use of BCP38 or put pressure on IXPs, what hope is there for contributors to the NTP pool (or other NTP operators)? _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
