[nsp-sec] CUTRS: Community Unwanted Traffic Removal Service

[Marc Kneppers]

Hey John

The issue of trust always comes up. Do we trust the input feed enough to
assume that there will be minimal false-positives so that we¹d implement
it at a larger-scale peering level.

"The list changes regularly as threats come and go."

How are you addressing questions like that? I¹m assuming that this feed
has a higher chance of false positives given that DDoS has so much
spoofing. (you¹re going after the DDoS data plane now, not just the
signalling plane :)

(I¹m a supporter of your efforts, here, though - don¹t get me wrong - just
asking the questions that will come)

Thanks
MArc
TELUS
AS852


On 2014-05-16, 2:15 PM, "John Kristoff" <jtk at cymru.com> wrote:

>----------- nsp-security Confidential --------
>
>It is all about having a cool acronym.
>
>Friends,
>
>We are "soft-launching" one of our new services with you and we hope you
>take to it, because we've had a lot of interest from the community to
>get something like this done.  In a nutshell, this is just like the
>DDoS-RS BGP route service you may be familiar with, but now instead of
>using RTBH to thwart obviously obnoxious C&C's, this aims to help
>remove the attack traffic destined towards victims in a DDoS further
>upstream or closer to the source as possible.
>
>Since it is the weekend, we won't set this up with anyone this week, but
>will give you time to mull it over and pick this up next week.  Here is
>my working page introducing the service:
>
>  <http://www.cymru.com/jtk/misc/cutrs.html>
>
>We also have a mailing list to foster discussion about the service and
>alerts of active DDoS attacks.  We were considering having a small set
>of "trusted" community folks who might help run this, so if you're an
>operator with BGP and helping mitigate DDoS attacks is of interest to
>you, please approach us expressing your interest to help.
>
>This only works if we get both traffic carrying networks and victims
>cooperating together.  Please contact me off list with any questions,
>comments or interest in participating.
>
>If you have some trustworthy network operators (not researchers at
>this time, real networks with BGP please) in mind who might be
>interested in this and are not on the list, please feel free to forward
>this to them. Ideally I'd like to be cc:'d so I know where this is
>going.
>
>Kindly,
>
>John
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________