Re: peering requirements (Re: DDOS anecdotes)

[Hank Nussbacher <hank () att net il>]

At 14:52 26/06/01 -0700, Paul A Vixie wrote:

> >   o source filtering at high bandwidth
>
> i consider this nonsoluable.  some routers can already do it, but making the
> ownership and deployment of such routers be the minimum price of entry into
> the peering game is a fatal nonstarter of an idea.  and the infrastructure
> for expressing netblock ownership in a way that could be used to build
> accurate and reliable filters (assuming the routers could load such filters
> and act on them at wire speed) isn't there.  i think this way lies madness.
>
> source filtering is an edge problem, at current technology levels.  but how
> to ensure that other people do it at THEIR edge is a separate problem from how
> to do it at YOUR edge.  the former is social/economic, the latter is 
> technical.

I have found a fairly easy way to make this start happening.  When putting 
out an RFI/RFP for some Internet connectivity/Web hosting/VPN/etc.  - in 
addition to putting in the obvious rtt minimums, SLAs, OC-48 backbones, 
24x7 NOCs, etc. I have started to include the following:

- anti-spoofing source filtering

Even if the ISP can't do it - the sales and marketing people are now 
driving the change process.  The more RFI/RFPs that ISPs see that contain 
such a mandatory section, the more the network will become a better place 
to live.  There are more than enough consultants/people on this list that 
can drive this process very quickly.

-Hank

PS I also include "human response to abuse@ email within 24 hours" :-)