nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filter NTP traffic by packet size?

From: George William Herbert <george.herbert () gmail com>
Date: Sun, 23 Feb 2014 10:36:42 -0800



On Feb 23, 2014, at 9:50 AM, Lukasz Bromirski <lukasz () bromirski net> wrote:

To do some additional checks would require extensive testing, platforms
capable of doing this in predictable manner (stability, performance)
and obviously - a lot more work than it costs today.



What are the costs and stability impacts of the DDOS that are running now?

Everyone is asserting it's someone else's problem.  Which in a sense it is.  But what goes around will come around.

If you are not BCP 38 you are sourcing problems.

If you are transiting or IXPing someone who isn't BCP 38 you are enabling problems.

Is what we are doing now good enough?  Probably not.

It would take fewer IXP and transit providers adding analysis capability to backtrack than endpoints.  So the enablers 
are more capable of effecting change.  They are less to blame in the first place, but not blameless. 

To assert blamelessness is a form of Tragedy of the Commons.  If it's crossing your link or switch, you ARE in the 
responsibility chain.

The last thing I would like to see is large orgs starting to retreat away from open interconnect because of DDOS coming 
in from less well managed parts of the net.

Perhaps BCP 38 implementation will rise fast enough that these things will not become real, but we have been hearing 
that for 15 plus years now...

At some point, the "38 will work by itself!" line approaches "Look at the Emperors' fine new clothes!".


-george william herbert
george.herbert () gmail com

Sent from Kangphone
Previous By Date Next
Previous By Thread Next

Current thread: