>>>>> "a" == alex <alex@xxx> writes: a> Wrong. These are your bits, you requested them, you pay for a> them, you deal with them. I think the idea is that netadmins at ISP's need to show some stewardship over the part of the Internet they control, just as sysadmins did very diligently and aggressively with the spam problem. I don't see that happening so far. I'm in Dubai right now setting up some 6500's on a dark fiber ring. It's kinda fun, and easy. one thing I found in reading about them is: ip verify unicast source reachable-via {any | rx} <acl> -- loose/strict uRPF. acl-permitted packets skip the uRPF check -- note this is an interface command, so usually you won't need the acl. mls ip cef rpf hw-enable-rpf-acl -- hardware PFC uRPF acceleration. yes = PFC-switch acl-denied uRPF-subject packets, and MSFC-switch (more slowly) acl-permitted no-uRPF-check packets no = PFC-switch acl-permitted no-uRPF-check packets, and MSFC-switch (more slowly) acl-denied uRPF-subjet maybe-DDoS packets -- both ways are not so good if you need the ACL. :' also note this is a global command. you can't pick a different preference on each interface. mls ip cef rpf interface-group mls ip cef rpf multipath ? -- hardware uRPF has some complicated limitations for multipath routes. the newest stuff supports two paths automatically, but if you want three you have to deal with these commands. some of this only a few months old in the 6500. and it seems to have lots of limitations. but, it's there, and it's meant specifically for building the beginnings of an anti-DDoS architecture. uRPF is an old idea, and it looks now like we are just now getting hardware that can do it performantly. Long-term I think we need some way to recognize infected windows machines and turn off their accounts, and we need to give ISP's that host infected windows machines some incentive for doing this. At this point, not only is that ability far away tools-wise, but I don't think ISP's would be willing to do it because it would upset customers and load their support lines, so they don't give a shit and say ``never mind, the web hosters are requesting to receive massive extortionist attacks from our virus-cesspool customer APRU-farm.'' DDoS is a problem that Level3 customers cause for Cogent customers, so the division between Interweb ISP's and hosting ISP's means the incentive is missing---if people are just going to be small businessmen rather than stewards, this DDoS problem will never be solved.
Attachment:
pgpvGPSqFkbcQ.pgp
Description: PGP signature