Re: Defeating DoS Attacks Through Accountability

["Mark Mentovai" <mark-list () mentovai com>]

Mark Prior wrote:
> It's not the route filters per se, it's the fact that the principle we
> use is if you don't announce the route to us we won't accept traffic
> sourced by that network. Saying that you are the source for the
> network but not advertising the route doesn't cut it.

Not so fast, there are situations when you are authorized to have a certain
chunk of address space but elect not to advertise it a certain way for
whatever reason.  Maybe someone has a pipe that they want to use for
outbound traffic only and they don't want to use it at all inbound traffic,
and as a result, they don't advertise their routes across it.  What
justification do you use for dropping traffic that falls into this category?

Obviously, I wouldn't want a situation where I could simply give my provider
a list of addresses for them to permit without checking that I'm authorized
- providers should always check that their customers are authorized to use
the blocks they intend to use.

I'll put it this way: filtering should be done against blocks that a
customer can announce, not against blocks that a customer is actively
announcing.  If you're filtering purely against current advertisements,
you're bound to break something sooner or later.

Mark