New Denial of Service Attack on Panix

Mailman List Mirror (Read Only)
1

I would personally like to see this topic added as an agenda item at
the upcoming Ann Arbor NANOG meeting. At least a brief discussion of
conventional wisdom (filter on valid source prefixes at periphery, etc.)
should be in order.

- paul

Dear NANOG/IEPG Folks;

As you should know by now from reading the papers, Panix, the first ISP in
NYC, has come under a new denial of service attack. The Wall Street Journal
quoted Bill Cheswick to the effect that the attack is "unstoppable". Almost,
but not quite, true.

It's true that there isn't anything that Panix can do on its own to stop
this attack. It's true that it would be hard to verify source addresses at
MAEs and NAPs. But we could all verify source addresses at the first hop
entry points. And get default route and unauthorized transit protection to

boot.

2

And ask that anybody with non-Cisco experience submit the appropriate
filters for other brands of router so we can get the widest possible use
of source filtering implemented.

I still haven't seen anyone here volunteer a website for this although
http://www.mtiweb.com/isp has some information available.

Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com