[nycbug-talk] [announce] Tonight: NYC*BUG at the Soho Apple Store
asr+nycbug at latency.net
Fri Jun 15 11:10:11 EDT 2007
On 2007-06-15-06:15:07, Miles Nordin <carton at Ivy.NET> wrote:
> I think the idea is that netadmins at ISP's need to show some
> stewardship over the part of the Internet they control
Yes and no. Play too much of an active role, and customers will (as
you've later commented) complain. Legally and politically, "common
carrier" boundaries and their associated protections get further
> sysadmins did very diligently and aggressively with the spam problem.
"not so much"...
> [...] uRPF is an old idea, and it looks now like we are just now
> getting hardware that can do it performantly.
On paper, strict-mode uRPF is a sane baseline configuration for simple
("cookie cutter") singly-homed customers. And loose-mode uRPF should
satisfy the needs of most multi-homed customers and their potentially
asymmetric traffic flows.
In practice, this isn't as simple as it may seem. Much of the
provider-edge hardware you'll find commonly deployed today simply does
not support uRPF, or does so by halving the FIB (or some other equally
brain-dead method), which doesn't scale particularly well.
(Could you mimic uRPF-like functionality with ACLs? Perhaps, and some
folk are, but that's a bit of a provisioning/config-gen nightmare on a
large scale; plus you're playing with fire and run the risk of TCAM
scaling limitations depending on platform...)
...and when was the last time you saw a multi-gigabit attack where
spoofed address space was even a significant factor?
> Long-term I think we need some way to recognize infected windows
> machines and turn off their accounts, and we need to give ISP's that
> host infected windows machines some incentive for doing this. At this
> point, not only is that ability far away tools-wise
This is somewhat workable today with a combination of coarse netflow
analysis, octets/packets-per second trending on customer-facing
interfaces ("CS 101" type stuff), and looking at what gets hit in
internal and external "dark space".
> DDoS is a problem that Level3 customers cause for Cogent customers
Perhaps, but I can assure you that's not why their peerings are
running hot. :-)
More information about the talk