North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DoS attacks, NSPs unresponsiveness
On Thu, 2 Nov 2000 Valdis.Kletnieks@vt.edu wrote: > The problem is that for many ISPs, I fear the only way to get them to > implement 2827-style filtering is for their upstreams to implement a > policy of fascist-mode ingress filtering - "We see a bogon packet that > your site should have filtered, we pull the plug on your link till you > fix it". Wonderful. The problem has been identified. But, other than foot-stomping, I haven't seen any solutions to correct it. The "we'll pull the plug" attitude won't work unless absence of said filtering violates that ISP's upstream AUP or contract. Some problems: ISPs should be doing ingress filtering and aren't. There [may] exist ISPs that [may] know that such filtering needs to be done and don't possess the information/wherewithall/incentive to determine a resolution for implementation. Some suggestions: 1) Develop a group of technical contacts, one each company, for each Tier 1 provider. 2) Create a document with configuration examples for various routers 3) Request that each technical contact of these Tier 1 providers coordinate with its respective internal customer service reps to handle dissemination of said document to its ISP customers. or 4) Disseminate the document through other appropriate mailing lists or newsgroups. It's completely pointless to identify a problem without also identifying possible solutions or working toward correcting the problem.