On Thu, 2006-04-06 at 16:25 +0200, Daniel Karrenberg wrote:
Dear colleagues,
unfortunately DoS amplification attacks are still with us. [..]
I think it is very good think to have such a working group. The biggest reason that I heared from various ISP's for not doing RPF/ingressfiltering etc. is that they claim their gear doesn't support it, or that it would overload their hardware too much, thus they don't want to enable it. Same reason why they don't filter out RFC1918 and other darkspace in many places. Still having even 80% of the places doing it takes care of those 80% places. The other nests can't be controlled anyway. Getting everybody to cooperate is probably not done. Maybe a good incentive would be that ISP's would not link to another network if that other network, but that brings in a lot of political issues too next too technical ones... Transit ISP's could of course in those cases filter out their downstream customers, which is what they should be doing IMHO... Maybe a "Secure Internet Working" TF is a better idea, then it can also raise awareness in the future of possible S-BGP/BGP-S solutions, anti-spam solutions, closing down relays, tracking ddos bots... oops too many potholes, better focus on one I guess ;) Greets, Jeroen