> James Hess wrote: >> For now.. with 1gigabit residential connections, BCP 38 OUGHT to be >> Google's answer. If Google handles that properly, they _should_ >> make it mandatory that all traffic from residential customers be >> filtered, in all cases, in order to only forward packets with >> their legitimately assigned or registry-issued publicly verifiable >> IP prefix(es) in the IP source field. Must be mandatory even for >> 'resellers', otherwise there's no point. > > The amount of DOS that is spoofed today is by all reports significantly > lower as percentage of overall DOS than it was in say 2000. > > BCP 38 is all fine and dandy, and you should implement it, but it's not > going to stop the botnets.
After re-reading the original post Google will be providing BOTH a) generic L2 transport for resellers to use in reaching users/subscribers b) their own L3 product Enforcing 'resellers' to do BCP38 on their L2 product reads synonymous to "boondogle." Further, who cares? This isn't where the "bad stuff" is given the context of a multi-access L2 network. >> P.S. reasonable abuse response is not defined as a 4-day delayed >> answer to a 'help, no contact addresses will answer me' post on nanog >> (long after automated processes finally kicked in).. Reasonable >> response to a continuous 1gigabit flood or 100 kilopacket flood >> should be less than 12 hours. NOC's that give a crap are good, but we have other tools at our disposal. I find that customers tend to 'take note' they've screwed-up something badly when their port goes ERRDISABLE and looses link for a few minutes. I understand that NANOG typically doesn't concern itself with edge-access techniques, but there are easy ways to mitigate allot of what a NOC might have to handle. Perhaps it's worth forking this thread to discuss? Done well, this should end up somewhere near 'uninportant' or a 'non-issue.' -Tk
