[Pool] BBC News article about NTP...

Mouse mouse at Rodents-Montreal.ORG
Tue Feb 11 17:15:09 UTC 2014


> However, this is unwarranted.  The problem is not NTP, the problem is
> the lack of source address filtering.

I would say that even that is only a symptom, that the problem is that
people have been granted authority over resources without having
concomitant responsibility for their use imposed.  Lack of egress
filtering by leaf providers is just one symptom of this.  (Only leaf
providers can really do this; once your customers are large enough to
multihome, the administrative burden of egress filtering goes _way_ up.)

> I propose that the existance of an ISP without source address
> filtering is handled by a reputation system similar to what was
> brought in place to bring down open SMTP relays, [...]

Unfortunately it is more difficult because the offender is much harder
for the victim to identify.  Suppose, for example, that I get a packet
with ip_src forged to 74.125.226.115.  How can I IDP that sender, even
just for me?  I can't.  I can't even tell the difference between two
senders in different places forging such traffic to me.  I have to get
my upstream to push it to _their_ upstream, etc, until reaching an
offender.  But with open SMTP relays, I can reject the traffic without
needing help from my upstream.

> Just disconnect every provider that refuses to set up source address
> filtering until they give in.  No source address filtering?  No
> traffic from you. Period.

If providers were willing to cut off paying abusers, we wouldn't be in
this mess.  Since we are, they aren't, and this is a pipe dream.

Yes, this is depressing.  It is one of the reasons I am growing to
loathe today's net.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the pool mailing list