"The technical community has repeatedly published methods to mitigate DDoS reflection and amplification attacks. The post mortems of nearly every DDoS attack include recommendations to implement anti-spoofing measures, to eliminate unbounded open DNS resolvers and open NTP servers, and to contain other UDP-based services within administrative boundaries.
I’m not optimistic that we’ll see any meaningful adoption of these mitigations for three simple reasons: willingness to pay, willingness to cooperate, and willingness to execute. ISPs, citing cost or performance, are reluctant to implement ingress filtering. Private networks are lax in implementing egress filtering at firewalls. Therefore DDoS attacks remain largely unabated:"
No comments:
Post a Comment