hmurray at megapathdsl.net
Sun Jul 3 18:50:39 UTC 2016
Is there consensus on what we should be doing? Actually, I'm looking for a
bigger picture of what all UDP services should be doing. DNS is the other
If you had asked me a year or two ago, I would have said "rate limiting" and
thought that solved the problem. It does solve the reflection attack, but it
opens things up to a different type of attack.
A bad guy can deny service to Bob at selected servers by sending forged
packets to those servers so they start rate limiting him. That doesn't take
a lot of traffic so it won't stand out and most of the infrastructure won't
even know there is a problem. (That does require that you can figure out
what servers Bob is talking to.)
Is there any good writeup on why BCP-38 is so hard to implement and/or why it
isn't implemented more often? I assume it's money. Is the problem routers
can't do it? (fast enough) Or maybe ISPs don't have their act together?
These are my opinions. I hate spam.
More information about the devel