Why do ISPs still not do packet source verification in 2010?

William_Pitcock · December 20, 2010, 2:41pm

Hi,

I am wondering why it seems that many ISPs still do not do packet
source verification in 2010? Just last night I had to deal with a DoS
attack that would have been impossible if more ISPs did packet source
verification.

I mean, it's 2010. We can do IP-level ACLs in hardware on most of the
current routing platforms on the market. I know it can be done on
Cisco, Brocade, etc. Not sure on the new NX-OS stuff, but the 6500
series chassis can do IP-level ACL in hardware.

The ACLs aren't hard either, you set an ACL forbidding traffic from
anything other than an access-list containing their allocated IP
ranges...

Grumble.

(on the other hand, it's not like spoofing does any good anyway... if
you're willing to work the netflow data and call your upstreams to get
at their netflow data you can easily trace each bot in the botnet to
it's origination network which can then look at their traffic flow data
and shut it down...)

William

Nick_Hilliard3 · December 20, 2010, 6:11pm

as regards urpf on the sup720 / rsp720: ipv4, yes; ipv6, no.

BTW, it's worth asking this question when purchasing new equipment: "does the equipment support both loose and strict ipv6 urpf in hardware right now. if not, what is the timescale for implementation of each?".

The results are currently not very good.

Vendors: please note that support for ipv6 urpf (both strict and loose) is a basic networking requirement these days.

Nick