Le 11/01/2015 14:50, Patrick W. Gilmore a écrit :
> I agree with lots said here.
>
> But I've said for years (despite some people saying I am confused) that BCP38
> is the single most important thing we can do to cut DDoS.
>
> No spoofed source means no amplification. It also stops things like Kaminsky
> DNS attacks.
>
> There is no silver bullet. Security is a series of steps ("layers" as one
> highly respected security professional has in his .sig). But the most
> important layer, the biggest bang for the buck we can do today, is eliminated
> spoofed source.
>
> Push on your providers. Stop paying for transit from networks that do not
> filter ingress, put it in your RFPs, and reward those who do with contracts.
> Make it economically advantageous to fix the problem, and people will.
+1
mh
>