Re: DoS attacks, NSPs unresponsiveness

[J Bacher <jb () jbacher com>]

On Thu, 2 Nov 2000 Valdis.Kletnieks () vt edu wrote:

> The problem is that for many ISPs, I fear the only way to get them to
> implement 2827-style filtering is for their upstreams to implement a
> policy of fascist-mode ingress filtering - "We see a bogon packet that
> your site should have filtered, we pull the plug on your link till you
> fix it".

Wonderful.  The problem has been identified.  But, other than
foot-stomping, I haven't seen any solutions to correct it.

The "we'll pull the plug" attitude won't work unless absence of said
filtering violates that ISP's upstream AUP or contract.

Some problems:

ISPs should be doing ingress filtering and aren't.
There [may] exist ISPs that [may] know that such filtering needs to be
done and don't possess the information/wherewithall/incentive to determine
a resolution for implementation.

Some suggestions:

1) Develop a group of technical contacts, one each company, for each Tier
1 provider.
2) Create a document with configuration examples for various routers
3) Request that each technical contact of these Tier 1 providers 
coordinate with its respective internal customer service reps to handle
dissemination of said document to its ISP customers.

or

4) Disseminate the document through other appropriate mailing lists or
newsgroups.

It's completely pointless to identify a problem without also identifying
possible solutions or working toward correcting the problem.