[c-nsp] DDoS + ME3600/ME3800
Phil Mayers
p.mayers at imperial.ac.uk
Thu Mar 28 07:13:49 EDT 2013
On 03/28/2013 10:52 AM, Nick Hilliard wrote:
> This latest round of DDoS attacks is putting operators under a lot of
> pressure to implement bcp38 on their networks. It's relatively
This is good to hear; it has dismayed me for years that this pressure
does not exist. How is it being applied?
> straightforward to do with strict urpf, but with ACLs, it requires more
> planning and work. This makes it a good deal more difficult to implement,
> which is harmful for the common good of the internet.
Particularly given the woeful state of automation on IOS; if there was a
simple script you could run hourly that pulled the running config and
applied any missing ACLs and updated/removed existng ones, driven by a
fairly simple policy, I imagine people would run it.
But absent something like Junoscript (and Netconf is *not* a
replacement, because of the lack of schema files on most platforms)
those scripts have the usual brittle "telnet/ssh & expect" and
"half-baked IOS CLI parser" issues that make everyone really nervous...
More information about the cisco-nsp
mailing list