Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 557032
To view parent comment, click here.
To read all comments associated with this story, please click here.
Soulbender
Member since:
2005-08-18

I doubt that'd ever be very useful in practice because it's going to be very unlikely to find any IP addresses that Cogent can route to and HE cannot.


No but at an IX there are other players than big providers and you might not want to accept any source from those. That said, the proper place to do prevent spoofing is at the customer-facing equipment. Once that is done you've solved the spoofing problem.

Edited 2013-03-29 07:13 UTC

Reply Parent Score: 2

Alfman Member since:
2011-01-28

Souldbender,

"No but at an IX there are other players than big providers and you might not want to accept any source from those."

Even so, I don't imagine smaller peers would be accepting and routing traffic for IP's that they're not advertising. Filters at the destination are likely redundant. Maybe it's not a bad thing to do, but it wouldn't seem likely to help in a case like this either.


"That said, the proper place to do prevent spoofing is at the customer-facing equipment. Once that is done you've solved the spoofing problem."

I agree, if you could trust every border router to do source-IP filtering for their own authoritative networks, then spoofed packets would never make it onto the internet. Ultimately, the best we can do is limit the size of the circle of trust by keeping most casual users on the outside of core routers and scrubbing the packets that get in for things like spoofed IPs. This is still a big challenge when we consider that the internet transcends national and administrative boundaries.

Reply Parent Score: 2