[nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store

Miles Nordin carton at Ivy.NET
Fri Jun 15 06:15:07 EDT 2007

>>>>> "a" == alex  <alex at pilosoft.com> writes:

     a> Wrong. These are your bits, you requested them, you pay for
     a> them, you deal with them.

I think the idea is that netadmins at ISP's need to show some
stewardship over the part of the Internet they control, just as
sysadmins did very diligently and aggressively with the spam problem.
I don't see that happening so far.

I'm in Dubai right now setting up some 6500's on a dark fiber ring.
It's kinda fun, and easy.  one thing I found in reading about them is:

 ip verify unicast source reachable-via {any | rx} <acl> 
                      -- loose/strict uRPF.  acl-permitted packets
                         skip the uRPF check
                      -- note this is an interface command, so usually 
                         you won't need the acl.

 mls ip cef rpf hw-enable-rpf-acl  -- hardware PFC uRPF acceleration.
                 yes = PFC-switch acl-denied uRPF-subject packets, and
                       MSFC-switch (more slowly) acl-permitted
                       no-uRPF-check packets
                 no  = PFC-switch acl-permitted no-uRPF-check packets,
                       and MSFC-switch (more slowly) acl-denied
                       uRPF-subjet maybe-DDoS packets
                 -- both ways are not so good if you need the ACL. :'
                    also note this is a global command.  you can't
                    pick a different preference on each interface.

 mls ip cef rpf interface-group
 mls ip cef rpf multipath ? -- hardware uRPF has some complicated
                               limitations for multipath routes.  the
                               newest stuff supports two paths
                               automatically, but if you want three
                               you have to deal with these commands.

some of this only a few months old in the 6500.  and it seems to have
lots of limitations.  but, it's there, and it's meant specifically for
building the beginnings of an anti-DDoS architecture.  uRPF is an old
idea, and it looks now like we are just now getting hardware that can
do it performantly.

Long-term I think we need some way to recognize infected windows
machines and turn off their accounts, and we need to give ISP's that
host infected windows machines some incentive for doing this.  At this
point, not only is that ability far away tools-wise, but I don't think
ISP's would be willing to do it because it would upset customers and
load their support lines, so they don't give a shit and say ``never
mind, the web hosters are requesting to receive massive extortionist
attacks from our virus-cesspool customer APRU-farm.''  DDoS is a
problem that Level3 customers cause for Cogent customers, so the
division between Interweb ISP's and hosting ISP's means the incentive
is missing---if people are just going to be small businessmen rather
than stewards, this DDoS problem will never be solved.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20070615/0089276d/attachment.bin>

More information about the talk mailing list