[kijin]

The quickest way to do achieve that would be to hold ISPs legally responsible for any damage caused by their failure to block spoofed traffic from their own network.

I'm not sure how well this would work outside of the U.S. though. Not everyone is as litigious as Americans are.

[pixl97]

The latest attack wasn't using spoofed traffic, from my understanding. Hacked devices were directly sending traffic.

And I ask you this, how is an ISP supposed to know if a device is hacked, or for example, is a webcam uploading a stream to a redistribution site. It can take days to chase down all the IPs, even in the US, and get the ISPs to deal with them.

[meanduck]

Should not a router be able to this filtering ? Making Internet Exchange Points do it would be even more quicker. Once big IXPs do it smaller would follow suite for the fear being cut-off and eventually ISPs.

[forgottenpass]

Filtering can only be enforced at boundaries where an operator can say "Link N will only/never have traffic for net range foo/16." And it isn't always possible to make strong blanket statements like that.

Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done.

For example: I send a packet to google, it passes from AS 123 through AS 456 to AS 789. How is AS 789 going to tell the difference between a packet from me, and a forgery originating from AS 456?

[meanduck]

It cant. One solution would be blackholing AS 456 from AS 789 at the requrest of its members. Hopefully this will teach 456 to stop misbehaving.

Though we do assume that AS wont itself misbehave and send a spoofed packet to one of its member peer and most of time its true.

We have to worry about misbehaving ISPs for which previously mentioned filtering works.

> Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done.

I dont think so. IXP can force peers to provide their IP Space even if its whole internet. At least they wont be able to spoof IP outside of their space. If they do spoof ddos from their own space the above solution would probably suffice.

EDIT: I just realized peer already has to give destination ip ranges. So IXP dont have to force anyone.