[samplonius]

You are not the first to come up with this idea. This same thought has been posted every year for the past 20 or so years in mailing lists, forums or Usenet (thought lately, not too often to Usenet).

I think prevention should be emphasized. If there wasn't so much garbage plugged into the Internet, there wouldn't be huge botnets to send DDoSes. There are few groups that scan the Internet for vulnerable systems, and rather than compromise them, send notices to the ISPs. In Canada, the CCIRC does this. But they only check IP blocks assigned to Canadian ISPs and enterprises.

Plus, why do so many ISPs still allow spoofing of IPs? It isn't 1999 anymore.

We should start a grass roots group to talk to everyone they meet, and get people to update their OSes, devices, and get rid of crap.

[rodgerd]

> thought lately, not too often to Usenet

Which pretty much illustrates the worst-case outcome: spam and trolling rendered completely worthless.

[kijin]

The quickest way to do achieve that would be to hold ISPs legally responsible for any damage caused by their failure to block spoofed traffic from their own network.

I'm not sure how well this would work outside of the U.S. though. Not everyone is as litigious as Americans are.

[pixl97]

The latest attack wasn't using spoofed traffic, from my understanding. Hacked devices were directly sending traffic.

And I ask you this, how is an ISP supposed to know if a device is hacked, or for example, is a webcam uploading a stream to a redistribution site. It can take days to chase down all the IPs, even in the US, and get the ISPs to deal with them.

[meanduck]

Should not a router be able to this filtering ? Making Internet Exchange Points do it would be even more quicker. Once big IXPs do it smaller would follow suite for the fear being cut-off and eventually ISPs.

[forgottenpass]

Filtering can only be enforced at boundaries where an operator can say "Link N will only/never have traffic for net range foo/16." And it isn't always possible to make strong blanket statements like that.

Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done.

For example: I send a packet to google, it passes from AS 123 through AS 456 to AS 789. How is AS 789 going to tell the difference between a packet from me, and a forgery originating from AS 456?

[meanduck]

It cant. One solution would be blackholing AS 456 from AS 789 at the requrest of its members. Hopefully this will teach 456 to stop misbehaving.

Though we do assume that AS wont itself misbehave and send a spoofed packet to one of its member peer and most of time its true.

We have to worry about misbehaving ISPs for which previously mentioned filtering works.

> Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done.

I dont think so. IXP can force peers to provide their IP Space even if its whole internet. At least they wont be able to spoof IP outside of their space. If they do spoof ddos from their own space the above solution would probably suffice.

EDIT: I just realized peer already has to give destination ip ranges. So IXP dont have to force anyone.