Home page logo

nanog logo nanog mailing list archives

Re: UDP port 80 DDoS attack
From: Keegan Holley <keegan.holley () sungard com>
Date: Wed, 8 Feb 2012 10:12:50 -0500

Providers don't even check the registries for bgp advertisements. See the thread on hijacked routes for proof.   Not to 
mention how do you handle a small transit AS?  Do you trust that they have the correct filters as well?  Do you start 
reading their AS paths and try to filter based on the registry for folks down stream?  Then there's the RLDRAM issue.  
Most edge boxes will just run out if ACL's.  Lastly there's no contractual obligation to play traffic cop for the 
entire Internet so providers would be dropping traffic that they can legitimately bill for.

Sent from my iPhone

On Feb 8, 2012, at 4:56 AM, George Bonser <gbonser () seven com> wrote:

No, we have registries to act as registries, the ISPs should be
checking them, and double checking.  It isn't something that is going
to change every day or every week. Once you get it set up, it is going
to be stable for a while.  Sure, it means a little more work in setting
up a customer, but it also means that if all your neighbors do the same
thing, you field many fewer calls dealing with stupid DoS crap.

I'll put it another way. Any provider that does not police their customer traffic has no business whining about DoS 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]