Sure, but if you have 2 ISPs routing your traffic, you have 2 connections - ISP A doesn't manage traffic for ISP B - you probably have 2 lines in this circumstance (or what's the point of redundancy if its all carried through the same wire), so each ISP can filter their own IP traffic and ignore any from the other ISP - in fact, the 2nd ISP won;t even be seeing the 1st ISPs traffic.

Its only once that data gets to the common carrier level for routing over the wider internet does this kind of thing occur - at at that point its too late, the dodgy packets have left the building and are now considered valid.

And again, if a customer is an ISP then they are the ones who should be egress filtering their traffic in the first place, anything else is just irresponsible and letting others do your dirty work (as best they can, which as we see, isn't the best).

I find it interesting that carriers will complain about traffic and try to charge companies like Netflix, yet won't do anything about ISPs that send them large amounts of spoofed SYN packets. surely they should be asking for more money off ISPs who flood the upstream provider with such crap, then we might see them do something to prevent it!

Absolutely, but the only downside to Cosmic Encounter is that you need more than a couple of players - the more the better the game is. As for design aspects, the powers make each game different so it keeps people's attentions in a way that playing for the hundredth time can't.

But how can the target ISP tell if the packets are valid? The easiest way is simply not to allow any packet to leave your network that doesn't originate with one of that ISPs IP addresses.

Surely its easier if the source ISP does this, as they know which IPs were allocated to them.

this wouldn't stop infecting computers acting as botnets, but there's no single solution to fix it all, so egress filtering like this would help massively.

So - how do we persuade ISPs to stop allowing spoofed packets leaving their networks? What can we do to either hurt their marketing or force them to implement this?

You seriously want an edge router to track every user that passes through them, the same routers you say handle gigabits of traffic per second? How would you handle such authentication? Do you have to have a user account with every ISP between you and your destination?

You don't need to authenticate users - they're already authenticated on every source ISP network, or you wouldn't be allowed to send packets at all. The problem is the ISPs are sloppy with everything after that, they assume you're legit, when you may be sending out all kinds of crap packets - mostly if you've been hacked and are sending out spoofed packets for the purpose of helping in a DDoS attack. Egress filtering fixes that one.

We are talking about DDoS attacks, not Microsoft who is frankly a very big boy and can look after himself (assuming all but a skeleton crew weren't on holiday at the time)

Depends - if you're running on a shared webhost for $5 then you'll have more issues than cost to deal with - reliability and performance for instance.

But you don't need full-on dedicated servers where the DB is completely disconnected from the web server, if you are just trying to mitigate the issue of an insecure front-end, then simply running the rest of the system secured from each other with different user accounts and a application layer running as a service (written n something else) will provide you with some benefit. Obviously it won;t help if the attacker gets root access to the underlying OS as then you're screwed, but it'd be a start.

You need to ensure that your web site doesn't have access to your DB or other critical resources. If the attacker can gain access to your web server, then all he can do is call the same API you expose to the website, which often will do just what is needed (ie will not let you download every cc number, or see any critical data like cc or password at all)

But overall, if you can afford $5 for a website, you are not storing anything critical at all. If you're paying more your site is important enough to pay the extra for security. You could still have a couple of $5 websites for the front end and then run the rest on a more serious VPS setup that is better secured, that's not going to break the bank.

I don't think that means what you think it does...

to assume every web server is hacked already.

Seriously, if you assume this, and code your way in a more secure, 3-tier manner, with a separate, and secured, application server, then you will mitigate all the problems with an insecure web server - well, at least they won't have full unfettered access to your database.

This may mean giving up those "all in one" frameworks people so love (whether its PHP or .NET or any other language), but that can only be a good thing - write an app server with a secure API isn't so hard to do, but will mean your CEO won't have to appear on the news explaining why every user of his site needs to change their password and replace their credit cards.

but what data is "good" data?

is an NTP request good or bad? You can't always tell the difference as they're all good, only not if you're getting 10,000 of them per second.

I'm sure every little website can afford to have a filtering proxy at all the exchanges around the world - after all, rack space in one of those is crazy cheap, and they let anyone put servers in there. Microsoft may be able to, but that doesn't help anyone else who will be subject to extortion from these scumbags. We need to improve our overall response to reduce the ability of these cunts to operate, not pay a fortune to mitigate their attacks when they decide (with almost impunity) to inflict them.

Its not the service coding that is the issue - there's only so much network pipe to go round, and unless we build our entire networks to handle gigabits of traffic for ever server that will almost never be used (at great expense) we'll have to find other ways to stop such attacks.

Of course, egress filtering would be a good first step. If only every big ISP did this, we'd make most DDoS attacks useless instantly. Then we only have to deal with compromised computers sending data, but if they cannot fake their IP source, we'll at least know who they are to clean them.

Ok, so there are many aspects to this - big corporation, single points of failure, 'improve security', steal credit cards/passwords, offline play, etc but there's one that stands out for me:

DDoS. Its trivially easy to send massive amounts of data at something and we have pitiful ways of mitigating it - in fact there is nothing you can do to mitigate it except buy more pipe than the attacker can fill. This is pants and isn't something the attacked companies can do anything about (except buy more pipe - which is ok if you're the size of Microsoft)

We need to start putting egress filtering in place to prevent these easy attacks, if the networks dropped all packets that didn't have a correct source IP, most DDoS would disappear as an attack (sure you'd still be able to gather lots of people/hacked machines together to instigate a DDoS but the attacker would be able to tell who they were and possibly get them fixed/cleaned for future).

The definition of a correct source IP - its an IP address the ISP owns. Its too easy to just create packets that have a random source IP or the IP of the target. We should be fixing this aspect of the internet years ago.

It's like someone in a film about King Arthur's knights turning out to be a cyborg,

Alas there is such a film

He did it in LotR too - the Ents for example, decide (eventually) to fight out of responsibility. But in the film, they instantly change their mind in a simple, emotionally-crippled act of revenge.

Its like PJ doesn't understand complex emotions at all. He could have had the Ents gathered around slowly making their minds up like the UN deciding whether to intervene in the latest atrocity, but no - it had to be a very simplistic and obvious excuse for another CGI battle.

I'm only surprised he didn't have Wormtongue going "look into my eyes, you are feeling sleepy" at the start of any discussion with Theoden.

I don;t think he meant "scrap copyright" but more keep it to the original terms of protecting the original author, not his great-great-great-grandkids.

FYI if the original terms of copyright that were in force when Tolkein was alive, the copyright to the books would have lapsed in 2011. Surely that's long enough for the author to make money on his work?

Obviously not... see if you can spot NK on the map