nanog mailing list archives
Re: UUNet Offer New Protection Against DDoS
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Fri, 5 Mar 2004 23:58:38 +0000 (GMT)
On Fri, 5 Mar 2004, Steve Francis wrote:
Christopher L. Morrow wrote:uRPF in the core seems like a bad plan, what with diverse routes and such. Loose-mode might help SOME, but really spoofing is such a low priority issue why make it a requirement? Customer triggered blackholing is a nice feature though.Obviously loose-mode. Spoofing may not be the current weapon of choice, but why not encourage the best net infrastructure?
Loose mode will not save you very much, many larger backbones route lots of 'unused' or 'unallocated' ip space internally for various valid reasons, some even related to security issues for their customers. So, does stopping rfc-1918 (maybe) space help much? not really... atleast not that I can see. Many flooding tools now flood from legittimate space, so the ONLY way to limit this is by filtering as close to the device sourcing the packets as possible. Nebulous filtering and dropping of miniscule amounts of traffic in the core of a large network is just a waste of effort and false panacea. --Chris (formerly chris () uu net) ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## #######################################################
Current thread:
- Re: UUNet Offer New Protection Against DDoS, (continued)
- Re: UUNet Offer New Protection Against DDoS Deepak Jain (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Suresh Ramasubramanian (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Randy Bush (Mar 03)
- Message not available
- Re: UUNet Offer New Protection Against DDoS Suresh Ramasubramanian (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Paul (Mar 03)
- Re: UUNet Offer New Protection Against DDoS Steve Francis (Mar 05)
- Re: UUNet Offer New Protection Against DDoS Christopher L. Morrow (Mar 05)
- RE: UUNet Offer New Protection Against DDoS Michael Hallgren (Mar 05)
- Re: UUNet Offer New Protection Against DDoS Steve Francis (Mar 05)
- Re: UUNet Offer New Protection Against DDoS Christopher L. Morrow (Mar 05)
- Re: UUNet Offer New Protection Against DDoS Dan Hollis (Mar 05)
- Re: UUNet Offer New Protection Against DDoS Christopher L. Morrow (Mar 05)
- Re: UUNet Offer New Protection Against DDoS Steve Francis (Mar 06)
- Re: UUNet Offer New Protection Against DDoS Paul Vixie (Mar 06)
- Source address validation (was Re: UUNet Offer New Protection Against DDoS) Sean Donelan (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Alex Bligh (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Paul Vixie (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Dan Hollis (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Sean Donelan (Mar 06)
- Re: Source address validation (was Re: UUNet Offer New Protection Paul Vixie (Mar 06)