On 3/23/06, <b class="gmail_sendername">Per Heldal</b> <<a href="mailto:heldal@eml.cc">heldal@eml.cc</a>> wrote:<br>[...]<br><br><div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Don't forget that a "carrot" to some is a "stick" to others. Maybe it's<br>better to approach the problem from a different angle than the ISP in<br>the case of bcp38 compliance. What if a significant group of those who
<br>are hurt the most from attacks (content- and hosting-providers)<br>cooperate to distribute probes, collect data and take active measures<br>against non-compliant networks? It shouldn't take much to convince ISP's<br>to filter if the cost related to such filtering is minor. Blocked
<br>access to the likes of Google, Yahoo and Hotmail should make wonders ...<br> Previous research indicate that about 2/3 already are compliant. That<br>makes this an even more powerful stick against the remaining 1/3.<br>
<br><br>//per</blockquote><div><br> Agreed. But to get there, we need better ways to detect BCP38 non-compliance.<br><br> The infrastructure is there (address and routing registries), but in bad shape, because it's not used enough (at least for this purpose).
<br><br> The tools aren't exactly there either. Which NOC will see a red alert when spoofed traffic shows up, when this part of the traffic is small compared to the rest? How much tweaking will be needed to get there?<br>
<br> And sure, spoofed traffic can be hard to detect, but this doesn't mean none of it can be detected. Specially when attacks last for hours/days.<br><br>Pierre.<br><br>PS: And of course, in parallel, we could fix UDP so that packets sent in either direction have the same size. But that might take longer. ;-)
<br></div></div>