http://www.businessweek.com/news/2010-02-10/google-plans-to-build-high-s
peed-fiber-optic-networks-update2-.html
http://googleblog.blogspot.com/2010/02/think-big-with-gig-our-experiment
al.html
What do folks think?
Residential computers with enough bandwidth to DoS
hosting providers; that should be fun. Maybe it will
encourage the incumbant ISP's to start offering users
meaningful bgp communities since they won't be able
to keep up with the abuse reports.
David
ROFL
* David Hubbard:
Residential computers with enough bandwidth to DoS
hosting providers; that should be fun.
How is this different from a typical dorm network?
(Perhaps with all that P2P filtering software in place,
it's a mere self-DoS nowadays, but the analogy was not
that far off five years ago or so, with less bandwidth,
of course.)
Residential computers with enough bandwidth to DoS
hosting providers; that should be fun. Maybe it will
encourage the incumbant ISP's to start offering users
meaningful bgp communities since they won't be able
to keep up with the abuse reports.David
That's already here today.
tv
Our typical gambling/casino customer has maybe 1 - 2 Mbps available to
them. Pretty much anyone in the U.S. could DDoS them if they didn't
have their HTTP/HTTPS traffic proxied and there are plenty more
without any protection at all.
Jeff
Enough to DoS hosting providers based on _current_ practices. If 1g
FTTH catches on, hosting providers will probably want 10/100 Gigabit
transfer technology in a short time.
For now.. with 1gigabit residential connections, BCP 38 OUGHT to be
Google's answer. If Google handles that properly, they _should_
make it mandatory that all traffic from residential customers be
filtered, in all cases, in order to only forward packets with
their legitimately assigned or registry-issued publicly verifiable
IP prefix(es) in the IP source field. Must be mandatory even for
'resellers', otherwise there's no point.
And Google should provide _reasonable_ response to investigate manual
abuse reports to well-publicized points of contact which go directly
to a well-staffed dedicated abuse team, with authority and a clear and
expeditious resolution process, as a bare minimum, and in addition
to any and all automatic measures.
P.S. reasonable abuse response is not defined as a 4-day delayed
answer to a 'help, no contact addresses will answer me' post on nanog
(long after automated processes finally kicked in).. Reasonable
response to a continuous 1gigabit flood or 100 kilopacket flood
should be less than 12 hours.
If they think things through carefully (rather than copy+paste
Google groups e-mail abuse management), it'll probably be alright
David Hubbard wrote:
Residential computers with enough bandwidth to DoS
hosting providers; that should be fun. Maybe it will
encourage the incumbant ISP's to start offering users
meaningful bgp communities since they won't be able
to keep up with the abuse reports.
Residential customers already have enough bandwidth to DOS hosting
providers.
James Hess wrote:
For now.. with 1gigabit residential connections, BCP 38 OUGHT to be
Google's answer. If Google handles that properly, they _should_
make it mandatory that all traffic from residential customers be
filtered, in all cases, in order to only forward packets with
their legitimately assigned or registry-issued publicly verifiable
IP prefix(es) in the IP source field. Must be mandatory even for
'resellers', otherwise there's no point.
The amount of DOS that is spoofed today is by all reports significantly
lower as percentage of overall DOS than it was in say 2000.
BCP 38 is all fine and dandy, and you should implement it, but it's not
going to stop the botnets.
Yup. Many have these devices they call "Routers" they buy locally that translate spoofed addresses to some well-known outside "public" IP.
(They may well still emit "spoofed garbage" but typically for another reason).
- Jared
James Hess wrote:
For now.. with 1gigabit residential connections, BCP 38 OUGHT to be
Google's answer. If Google handles that properly, they _should_
make it mandatory that all traffic from residential customers be
filtered, in all cases, in order to only forward packets with
their legitimately assigned or registry-issued publicly verifiable
IP prefix(es) in the IP source field. Must be mandatory even for
'resellers', otherwise there's no point.The amount of DOS that is spoofed today is by all reports significantly
lower as percentage of overall DOS than it was in say 2000.BCP 38 is all fine and dandy, and you should implement it, but it's not
going to stop the botnets.
After re-reading the original post Google will be providing BOTH
a) generic L2 transport for resellers to use in reaching users/subscribers
b) their own L3 product
Enforcing 'resellers' to do BCP38 on their L2 product reads synonymous
to "boondogle." Further, who cares? This isn't where the "bad stuff"
is given the context of a multi-access L2 network.
P.S. reasonable abuse response is not defined as a 4-day delayed
answer to a 'help, no contact addresses will answer me' post on nanog
(long after automated processes finally kicked in).. Reasonable
response to a continuous 1gigabit flood or 100 kilopacket flood
should be less than 12 hours.
NOC's that give a crap are good, but we have other tools at our
disposal. I find that customers tend to 'take note' they've screwed-up
something badly when their port goes ERRDISABLE and looses link for a
few minutes. I understand that NANOG typically doesn't concern itself
with edge-access techniques, but there are easy ways to mitigate allot
of what a NOC might have to handle. Perhaps it's worth forking this
thread to discuss?
Done well, this should end up somewhere near 'uninportant' or a 'non-issue.'
-Tk