North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DoS attacks, NSPs unresponsiveness

  • From: dies
  • Date: Thu Nov 02 11:46:16 2000



	Well since everyone else is stating their opinions, I'll join in
as well.  First off I think pulling the plug is a great idea ( =] ).  
Anyways the point comes down to this.  Who should be doing the ingress
filtering?  Tier-2's, Tier-1's, the actual customer?  I know this whole
idea sounds very pretty and nice, however, when it comes down to it there
are many real problems with this idea.  One, the hardware on most ISP's
backbones cannot realistically do ingress filtering.  I'm sorry to say but
a GSR is not able to do ingress filtering on 5 Channelized OC-12's that
hold 400+ Customers a piece.  It just does not work, I don't care what
Cisco claims, it just does not work.  What about other vendors?  I have no
experience with Bay or Lucent, however, Juniper (which I do have
experience with) has the ability due to the hardware based filtering
available but that brings up a whole set of other questions.  How will
ingress filtering from an ISP level effect downstream customers that do
asymmetrical routing?  How about the management overhead that comes into
play when you are a Tier-1 or a large Tier-2 with tens of thousands of
customers?  What is comes down to is that customers need to be doing
egress filtering, it's the only scalable solution, however this just is
not happening.  Don't blame the ISPs only, it's their customers that are
really the problem.  Lack of security/knowledge on the customer's end
leads to hacked boxes, which in turn lead to DoS attacks.  It really comes
down to not the responsibility of the ISP, but in fact the responsibility
of the customers!  Maybe we all should thinkg about that before we point
fingers.



On Thu, 2 Nov 2000 Valdis.Kletnieks@vt.edu wrote:

> On Thu, 02 Nov 2000 09:59:04 EST, Mark Mentovai <mark-list@mentovai.com>  said:
> > This can't go on forever.  I'd like to spread the clue about ingress
> > filtering, and am willing to commit time to the cause.  Is anyone with me?
> 
> The problem is that for many ISPs, I fear the only way to get them to
> implement 2827-style filtering is for their upstreams to implement a
> policy of fascist-mode ingress filtering - "We see a bogon packet that
> your site should have filtered, we pull the plug on your link till you
> fix it".
> 
> Time alone won't be enough.  Bring a baseball bat.  And a spare bat.
> 
> -- 
> 				Valdis Kletnieks
> 				Operating Systems Analyst
> 				Virginia Tech
> 
> 
>