Re: Yahoo! Lessons Learned

[Vadim Antonov <avg () kotovnik com>]

Daniel Senie <dts () senie com> wrote:

> While implementing these measures may not directly benefit your network,
> doing so may thwart an attack against someone else's net. Tomorrow, the
> roles could be reversed. As with many areas of managing the Internet,
> cooperation is key.

Yep. Actually, tier-1 ISPs can write the requirement for reverse-path source
IP address verification on customer access circuits into their peering agreements.
An enforcement can take a form of penalties per verified incident of forged source
address attack originating in peer's network.

(The adversarial IP perfix filtering was needed to institute such prefix-reduction
policies as aggregation and address allocation out of ISP blocks.  I remember that
purely voluntary efforts were pretty much derailed by negligience of some ISPs
(why AS 174 comes to the mind? :)  I do not expect reverse path filtering to be
any different in terms of deployment problems.)

--vadim