2012/2/8 George Bonser <gbon...@seven.com>
> > > > -----Original Message----- > > From: bas > > Sent: Tuesday, February 07, 2012 11:56 PM > > To: Dobbins, Roland; nanog > > Subject: Re: UDP port 80 DDoS attack > > > > Say eyeball provider X has implemented automated S/RTBH, and I have a > > grudge against them. > > I would simply DoS a couple of the subscribers *with spoofed source IP* > > addresses from google, youtube, netflow and hulu. > > The automated S/RTBH drops all packets coming from those IP addresses. > > Presto; many angry consumers call the ISP's helpdesk. > > Comes back to providers allowing "spoofed" traffic into their networks > from customers. That seems to me to be the low-hanging fruit here. > > > How do you stop it? Granted, traffic from 10/8 or 127.0.0.1 coming in via an upstream is obvious, but that's about it. There's nothing in a packet that will tell you where it came from compared to the source IP field in the IP header. uRPF is a problem for anyone who's sufficiently multihomed since it causes asymmetric routing.
