Home page logo

nanog logo nanog mailing list archives

Re: WANTED: ISPs with DDoS defense solutions
From: Paul Vixie <vixie () vix com>
Date: 06 Aug 2003 00:58:19 +0000

More and more there is less and less spoofing, its just not required and
it causes more damage with less effort :( Why spoof when you have 1000
machines pumping 1 packet per second? (or 10)

leaving the spoofing option open for future generations of attacks,
rather than having a witch-hunt and tracking down and upgrading every
insecure edge, is just about the worst thing we could do.  because
when an attacker wants an extra edge, they'll add spoofing to their
attack profile, and the core's immune system will be totally unprepared.

knowing this, and knowing that spoofing isn't actually necessary right
now, the current generation of attackers would be well advised to stop
spoofing for a while so that nobody makes any serious attempt to plug
the hole.  (and, it sounds like that strategy might already be working.)

could someone here who can write win32 apps, and someone else who can
write cocoa apps, please volunteer short executables that will try to
spoof a few packets through some well known server, and then report as
to whether the current computer/firewall/cablemodem/isp/core permitted
this or not?  isc would be happy to host the server component of this,
as long as source code for the executables is available under a bsd
style copyright, and the executables are released without any fee.

this is so the community can gather compelling evidence for the witch-hunt.
(i expect we'd have to come up with a "web button" campaign to brand isp's
who dtrt.  sort of like the old squid-era "cache now!" thing.)
Paul Vixie

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]