I would personally like to see this topic added as an agenda item at
the upcoming Ann Arbor NANOG meeting. At least a brief discussion of
conventional wisdom (filter on valid source prefixes at periphery, etc.)
should be in order.
- paul
Dear NANOG/IEPG Folks;
As you should know by now from reading the papers, Panix, the first ISP in
NYC, has come under a new denial of service attack. The Wall Street Journal
quoted Bill Cheswick to the effect that the attack is "unstoppable". Almost,
but not quite, true.It's true that there isn't anything that Panix can do on its own to stop
this attack. It's true that it would be hard to verify source addresses at
MAEs and NAPs. But we could all verify source addresses at the first hop
entry points. And get default route and unauthorized transit protection to
boot.