On 02/14/2014 09:02 AM, Giles Davis wrote: > Nick Hilliard wrote: >> It really is, but bear in mind that a single 1GE connection with >> no urpf can be used to create ~250-300G of backscatter traffic. >> >> This means that there's only a requirement to have a single >> unscrupulous or incompetent ISP with GE in the world to allow a >> devastating DoS to be launched against anyone anywhere. >> > Indeed - which is certainly a problem! :) > > So what's the 'proper' solution to all this then beyond just adding > enough capacity to absorb ever larger attacks? How's this going to > end up?
What's happening now is that reactive, specific measures are being taken - protocol-specific vulnerabilities (e.g. RRL for DNS, disable monlist for NTP) are being plugged, ISPs are deploying better instrumentation to detect attack flows, and are turning on uRPF/other source-address filtering towards the worst traffic sources. The problem with these approaches is that: - they are just going to lead to an endless game of whack-a-mole as the bad guys find ever more reflection vectors which need plugging - this arms race will in turn educate the bad guys to be smarter - the vendors of security products are going to be more interested in selling bigger faster $olutions than tackling the underlying problems (cf ever-increasing claims for how big an attack various vendors claim to have dealt with) - TPTB are more likely to blame the Internet industry and take regulatory measures against us as an easy target than tackle the actual bad guys Something I think that would make a bigger difference would be for data to be gathered and published that names-and-shames those providers that don't do BCP38 source address validation. As an industry we then need to start contractually enforcing, de-peering and blocking traffic to/from those providers who don't take action to remedy this. The other thing is to beat up on our vendors - I hear many stories of how BCP38 cannot be implemented by people who want to, due to some bug or missing feature with CPE/edge/aggregation/core equipment. If self-regulation doesn't work, we can expect regulation. While mandating SAV/BCP38 would IMHO be a much more useful single item of legislation to reduce Internet evil than the swathes of vested-interest pandering nonsense we've had from our governments and regulators lately, it's hard to trust them to do it right. In any case, there are also many (probably most) nation-states out there proudly declaring that they have "cyberwarfare capability", and it's hard to see how this is credible without a DDoS element. It might actually take international "Internet disarmament" treaties to nail this problem :-( Keith
