denied NS/IN
Nathan Ollerenshaw
chrome at stupendous.net
Fri Jan 23 23:48:10 UTC 2009
On 24/01/2009, at 9:57 AM, Mark Andrews wrote:
> You you don't also have blessed silence on the counters
> on this rule there is still a problem and you should be
> complaining to whoever is sending the packets to you.
>
> This just stops the amplification it doesn't clear up the
> problem.
Not every operator out there gives a damn. Getting the entire planet
to implement ingress filtering is an admirable goal, but much like
every other 'recommendation' out there, there are huge chunks of the
internet that won't ever implement it out of ignorance and we'll be
stuck with spoofed traffic.
Conversation I had with one of the guys in our networking team:
"So, we're not under attack? We're just reflecting a small amount of
traffic back to a victim?"
"correct, it is negligible load for us"
"Ok, it's not severity 1 then, none of our customers are affected and
its not affecting us. I'll look at it when I get time."
Which means, of course, never.
Nathan.
More information about the bind-users
mailing list