I agree, those ISPs with end users trapped within a providers network pool have a pretty simple task at implementing BCP38. Cable Internet providers and the like have no excuse. They should drop any packets that don't have a source address from their address pool.
When it comes to ISPs with Multihomed customers, it's not as simple. When such a customer goes to an ISP, they'll say, "Hey, my ASN is XX and the networks I'll be announcing are a.b.c.d/ZZ". At that moment, a provider has to look up their networks at an RIR to confirm if their customer legitimately owns those blocks. They might do it for 1 or 2, but what if the customer says here 500 or 1000 subnets I'll be announcing. Which ISP's support center is going to task somebody to spend several hours/days doing that verification? And then imagine the trouble when the tech says, "Sorry, 20% aren't registered correctly, go fix them before we allow those packets through". Your new customer will be calling their account team saying they have less trouble with your competition and they want their account cancelled. A million dollar contract might be flushed down the toilet over trying to uphold BCP38 for the sole benefit of preventing some unknown party elsewhere in the world from being DDoS'd? Somehow I don't think so. 15 years later, you see why BCP38 is still a problem with wide scale implementation. Those who can do it with relative ease, should do it. For everybody else, it'll likely continue to fall on deaf ears unless the request comes attached with a check to implement and maintain the policy. Personally for all the hoopla over BCP38, the world would have a better benefit if we just worked on weeding out applications using UDP and forced everything to run using TCP. Spoofing becomes much more difficult when you need a 3-way handshake. SYN Floods might become an issue, but boxes from Arbor Networks and others are pretty good at preventing those problems. On Tue, Mar 18, 2014 at 2:05 PM, Rob Janssen <[email protected]> wrote: > AlbyVA wrote: > >> The big problem with BCP38 is that it really needs to be phased in from >> the ground up at the smallest of network levels and not the top down from >> the ISP level. >> > > Then why not start doing that? > For any ISP providing service to residential customers (all those millions > and millions > of cable and DSL connections) it is really peanuts to implement BCP38 on > their > access network. > > Same for all those low-budget hosters that provide virtual servers to > customers paying > $5 a month, and getting a single IP address or a small subnet from the ISP > space, and > no option of getting their own space routed. > > Peanuts for them to configure an access list in the access routers or > close to the servers. > > When at least those measures were taken, the wide availability of > unfiltered access to > hackers (botnets, cheap hosting) would be reduced. Multihomed systems > are hopefully > administered and monitored a bit better, and less likely used as source of > an attack. > > Rob > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
