Anti-DDoS

[Hal Murray]

Is there consensus on what we should be doing?  Actually, I'm looking for a 
bigger picture of what all UDP services should be doing.  DNS is the other 
obvious example.

If you had asked me a year or two ago, I would have said "rate limiting" and 
thought that solved the problem.  It does solve the reflection attack, but it 
opens things up to a different type of attack.

A bad guy can deny service to Bob at selected servers by sending forged 
packets to those servers so they start rate limiting him.  That doesn't take 
a lot of traffic so it won't stand out and most of the infrastructure won't 
even know there is a problem.  (That does require that you can figure out 
what servers Bob is talking to.)


Is there any good writeup on why BCP-38 is so hard to implement and/or why it 
isn't implemented more often?  I assume it's money.  Is the problem routers 
can't do it?  (fast enough)  Or maybe ISPs don't have their act together?


-- 
These are my opinions.  I hate spam.