Jim Reid wrote:
I propose that the existance of an ISP without source address filtering is
handled by
a reputation system similar to what was brought in place to bring down open
SMTP relays,
another thing that was once a common practice and that needed to be shut down
because they were being abused by miscreants.
Widespread uptake of source address filtering is just not going to happen.
Wasn't that claimed in the days of the open SMTP relay as well?
Yet, the problem was resolved.
Here's a straw-man suggestion. NTP over TCP would be the only option for public
time servers on the Internet.
That will not be enough. TCP is used in reflection attacks now. It has no
amplification, but it can still be used for reflection.
I saw an attempted attack on webservers where they just send spoofed SYN with
source and destination port 80 and hope
for a flood of SYN ACK to the victim.
Really, the only thing that can be done is end the spoofing. The protocols
itself are always vulnerable when they send
some form of reply, and they always will.
Just disconnect every provider that refuses to set up source address filtering
until
they give in. No source address filtering? No traffic from you. Period.
I wonder just how long that will last when your boss can't get to his/her
favourite web site with kitten pictures. :-)
Bosses got disconnected from e-mail because their company ran an open relay.
That made the system operators fix the open relay.
This should also work when they are part of a network that allows spoofing.
Fix the problem and you are on again.
It would be great if Facebook or google did source address
filtering/validation. That would provide a huge incentive to ISPs to get their
act together wrt BCP38. But suppose you're in charge at Facebook. Why would you
do something that pisses off your customers, puts customer support into
meltdown and upsets the advertisers whenever huge numbers of end users get cut
off because they're on ISPs who can't or won't do source address
filtering/validation any time soon?
It would be a bonus when you are never affected by a reflection DDOS. Maybe
not for Facebook, but for a bank or government site
it would be good for their reputation.
When users found their mail was getting dropped because their provider did not
care about closing the open SMTP relay, it was
similarly fixed before all customers ran out. That should be possible.
Today's users understand that security and hackers are a problem on the
internet, and countermeasures are required.
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
