nanog mailing list archives

Re: Defeating DoS Attacks Through Accountability

From: Mark Prior <mrp () connect com au>
Date: Sun, 12 Nov 2000 15:43:49 +1030


     >It's not the route filters per se, it's the fact that the principle we
     >use is if you don't announce the route to us we won't accept traffic
     >sourced by that network. Saying that you are the source for the
     >network but not advertising the route doesn't cut it.

     Not so fast, there are situations when you are authorized to have a certain
     chunk of address space but elect not to advertise it a certain way for
     whatever reason.  Maybe someone has a pipe that they want to use for
     outbound traffic only and they don't want to use it at all inbound traffic,
     and as a result, they don't advertise their routes across it.  What
     justification do you use for dropping traffic that falls into this category?

     Obviously, I wouldn't want a situation where I could simply give my provider
     a list of addresses for them to permit without checking that I'm authorized
     - providers should always check that their customers are authorized to use
     the blocks they intend to use.

As there is no real way to determine who is authorised to announce a
prefix we must rely on some measure of "reasonableness", ie does it
look likely that a customer should announce that prefix, and in the
case of BGP announced routes we would look in the routing table to see
if the route is already being announced.

     I'll put it this way: filtering should be done against blocks that a
     customer can announce, not against blocks that a customer is actively
     announcing.  If you're filtering purely against current advertisements,
     you're bound to break something sooner or later.

Our agreement with the customer is to supply them with access to the
Internet and so our billing model is formulated on the proposition, ie
we charge for bytes delivered to the customer. If the customer doesn't
want us to do that for a network why should we allow them to send out
traffic sourced from that network? Especially since doing that makes
it more difficult to debug routing problems and for others to track
unacceptable behaviour. Just because a network is registered with us
doesn't mean that any third parties know this.

Mark.

Current thread:

Re: Defeating DoS Attacks Through Accountability, (continued)
- - Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
    - Re: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 11)
    - RE: Defeating DoS Attacks Through Accountability Barry Raveendran Greene (Nov 11)
    - Re: Defeating DoS Attacks Through Accountability Austin Schutz (Nov 11)
    - Re: Defeating DoS Attacks Through Accountability bmanning (Nov 11)
    - RE: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 11)
    - RE: Defeating DoS Attacks Through Accountability John Fraizer (Nov 11)
    - Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
    - Re: Defeating DoS Attacks Through Accountability Valdis . Kletnieks (Nov 11)
    - Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
    - Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
- Re: Defeating DoS Attacks Through Accountability Ryan Tucker (Nov 02)
  - Re: Defeating DoS Attacks Through Accountability Ariel Biener (Nov 02)
- Re: Defeating DoS Attacks Through Accountability Sean Donelan (Nov 11)
  - Re: Defeating DoS Attacks Through Accountability Mark Prior (Nov 11)
  - Re: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 12)
- Re: Defeating DoS Attacks Through Accountability Sean Donelan (Nov 11)
  - Re: Defeating DoS Attacks Through Accountability Joe Abley (Nov 12)
    - Re: Defeating DoS Attacks Through Accountability Marshall Eubanks (Nov 12)
  - Re: Defeating DoS Attacks Through Accountability Daniel Senie (Nov 12)
    - Re: Defeating DoS Attacks Through Accountability Mark Mentovai (Nov 12)

(Thread continues...)