On Jan 30, 2008 1:51 PM, Jeremy Jackson <[EMAIL PROTECTED]> wrote: > > On Wed, 2008-01-30 at 13:03 -0500, Kristian Kielhofner wrote: > > On Jan 30, 2008 10:10 AM, Jeremy Jackson <[EMAIL PROTECTED]> wrote: > ... > > > To be clear, I believe the DDoS issues can only be addressed at the > > > Autonomous System level, which is typically an ISP or large hosting > > > company. > > > > > > Regards, > > > > > > Jeremy > > > > > > > Jeremy, > > > > Most carriers that provide you with a BGP session can provide this > > service. Some do for free, some do for fee. When setting up BGP with > > Cogent, for example, you can opt-in (for free) to create a second BGP > > session to a blackhole server. You can advertise /32s to that server > > and have traffic to it blackholed at Cogent's backbone. Apparently at > > least Verizon Biz (old MCI/UUNET) also provides this for a fee > > (probably with to/from AS/IP/etc matching). With a service like this, > > Even with BGP Flowspec, this isn't what I'm talking about. Agreed, it's > mostly handling the after effects. The root cause of DDoS, is source > address spoofing. The remedy is Ingress/Egress filtering. Backbones > such as Cogent don't do this that I'm aware of, and it'll be a long time > before they do, if ever, IMO.
Ingress/Egress filtering would be nice. And you're correct, most backbones don't do this. However, even with Ingress/Egress filtering a large enough botnet would still be a problem (with legit sourced IPs). A VoIP service provider could pretty easily whitelist/blacklist based on these IPs and the methods I discussed before. > I believe direct peering offers a solution, on a small/local scale. > Internet exchanges may rise as a hidden jewel for security (they are > presently dealt with like secondary, best-effort, volunteer based, > etc.) , which may need to be addressed for mass VOIP adoption. You're right again with direct peering. That's what we're working toward... > > There has been some discussion on NANOG about this over the last few > > days. Well worth the read. > > Yes about time I hopped over there and check it out. > Yeah, sometimes NANOG is worth it... I like the diagrams on your website, btw! -- Kristian Kielhofner _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
