CloudFlare CEO Matthew Prince tells a harrowing story of warding off the internet attack after Spamhaus hired him—which is certainly true—but warns us of existential threats to the net still lurking out there, like lost Soviet nukes:
This would be so terrifying if it weren’t advertising. Prince, of course, is in the business of selling protection against online attacks. And his company is, as far as I can tell, pretty good at this business. But he’s also clearly in the business of scaring people: in his blog post today, he warns that the Spamhaus attack “may prove to be relatively modest” compared to what comes next. Bigger nukes, I suppose.
Here’s an another excerpt on the latest DDoS kerfuffle that made a lot of news recently.
So what’s the answer? Short of shutting down all 27 million resolvers, the Open DNS Resolver Project and others such as DNS service providers Afilias recommend the implementation of source address validation. An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing.
According to the article one component to implementing this requires cooperation from ISPs who may not see this as a priority.