It's not spoofing if you have your own AS and are sending traffic from your allocated IPs in that AS via multiple transit providers. When OP said:

...he could have been indicating that he was providing transit to customers that had their own IP allocations, ergo the source addresses were not in his network.

Multi-homing doesn't necessarily mean "getting an account from two different retail ISPs and then NAT-ing different depending on which interface you're leaving on"; we could be talking about BGP multi-homing here, in which case static ACLs are a total bitch, but, as mentioned above, other solutions exist.

I disagree. JunOS, for instance, runs a version of ntpd that's vulnerable to this and by default adding any ntp servers to its config (to turn it into an NTP client) also makes it respond to ntp queries to any source IP with no auth. You're fine if it's an SRX or something in full flow mode as in that case you need to explicitly tell the box to host NTP in a particular security zone or on a particular interface, but if it's a packet mode device (e.g. an EX switch or even an SRX in selective or full packet mode) it's wide open...and there are plenty of these things with live IPs and 100 mbps plus bandwidth at their disposal. Hell, I've seen sites where ntpd bottlenecks the CPU before it gets to saturating the WAN link. There's plenty of bandwidth here.

Granted, that's halfway between a full "NTP server" and a "shitty little firewall", but that's still a lot of kit out there with a retarded default and lots of bandwidth at its disposal.

I was talking about RPF, not blacklisting ASNs. This doesn't require any cooperation between ASNs. Packet comes in; router checks the FIB to verify if an active (strict mode) or viable (feasible mode) route exists out that interface for that source; if so, packet forwarded; if not, packet dropped (or logged or w/e you want depending on your preferred vendor/gear). We're dropping individual packets here not null-routing a block or dropping an entire AS off the map.

Granted, yes, it's not a "quick fix" for the problem but rather something that requires most if not all ISPs to get their shit together and implement this properly, but RPF is dynamic, not something that requires individual ASNs to be blacklisted. It's up to the ISP providing transit for the original source of the request packet with the spoofed address to have RPF enabled on the customer-/attacker-facing interface and to drop it there. If you're talking about the attacker actually having their own ASN and getting their traffic out via peering, then yes, it could start to get a bit trickier as these peers would need RPF on their peering interfaces and probably also want prefix-list filtering (which we're all doing anyway, right? ;) ) so they don't get garbage from this shitty AS.

For this issue, though, my money's on good-ol' botnets as the actual sources, so your vast majority of spoofed query packets will be originating on plain residential or business connections. Sourcing it from their own AS is possible, sure, but it seems like way too much overhead for little gain.

DDoS mitigation overall can have a lot of collateral damage and I'm not trying to make light of implementing RPF properly in a large network, but ISPs need to get their shit together and deal with this. Blame the admins of the NTP boxes amplifying and reflecting this (whether those are full servers, VMs, switches, or firewalls) and blame the ISPs that let the spoofed packets out of their networks in the first place. Both groups share responsibility in this.

And RPF would not work in your setup?

Except in this case (or other reflection attacks, i.e. you're dealing with source address spoofing), RPF on customer-facing interfaces should prevent the attack from leaving the ISP's network in the first place. Note that I'm talking about the ISP of the original machine performing the request with the spoofed source IP here, not even even the ISP of the machine server that's being used for the reflection & amplification (which in this is a vulnerable or misconfigured NTP server). The affected NTP servers need to be cleaned up as well, but the sources of the original packets also should be preventing the spoofed traffic from leaving their networks.

Godwin: now with bold fonts!

Is this close enough?

You guys only have 8% sales tax?! In BC and other parts of Canada we're at 12% almost across the board, excluding some household items. That said, the quality of life is also pretty high...

Those LaserJet 4's and 5's were incredible. You got me all sentimental, now...

They do pay more. Even if you went with a flat tax they pay more. E.g. 20% flat tax. a) Low income: $20,000 @ 20% income tax => $4,000 income tax b) Middle income: $50,000 @ 20% income tax => $10,000 income tax c) High income: $200,000 @ 20% income tax => $40,000 income tax.

It's simple math, folks. For the folks clamouring for those "rich folks" to pay a bigger share of the tax burden per person, they already do. Are there breaks for investment, business, etc? Of course. These are incentives to keep money flowing into these ventures, to move money around into places where it might be useful rather than sitting in a vault somewhere doing nothing.

Yes, I get that there are tax exemptions etc, with a favourite being exemptions and lower taxation rates on capital gains, which people seem to often single out as some exclusive luxury of the rich that allows them to generate millions and leave us all in the dust. We should also be specific here about what we mean by "usury". Are we talking about the notion of charging an outrageous level of interest, or the older notion of charging any interest at all? Are you against the notion of any interest being charged for lending money? If I lend you $5,000, I am depriving myself of that money and any benefits to be had for it in order to provide you with the opportunity to use that money. Should it be illegal for me to have any incentive to do that other than being a nice guy? Should we rely entirely on the selflessness of the wealthy in order for money to be loaned to those who might benefit from it?

I'm getting a bit off track; trying to get back: Putting together an exhaustive argument on this would take more time than I have on hand at the moment, but some thoughts to consider:

1) The money put into investments does not come from nowhere. The principal on the investment either comes from money earned through labour or, very frequently, it is borrowed. If I can find a profitable way to loan out money that I have earned, will you hold that against me? If I borrow money to invest, I am assuming the risk on that loan. I could very well lose my shirt while the bank still collects on their low risk investment (loaning me money).

2) Investments and capital gains are not some exclusive vehicle of the rich. No one is stopping you from generating capital gains. No one is preventing you from putting aside 5-10% or even less of your pay cheque to start saving and investing your money. It really isn't rocket science; read some books, do your homework; it isn't beyond anyone with a basic education. And if you really don't feel comfortable selecting investments, you can always opt for CDs or T-Bills if you want to play it "safe", though you'd hardly beat inflation. If you can't squeeze that, you can always borrow; heck, you can even get tax deductions on the interest for your investment loans.

I guess what I'm coming down to is this: If you have a problem with generating income from loaning money (i.e. interest), could you elaborate on that? No one is stopping you from generating investment income. Are there risks involved? Of course, and it's your call whether or not you want to take on that risk. It is often pointed out that people who are wealthier generate that wealth through business or investments. That's true. They took on the risk and were successful. If you are unwilling to take on the risk and then rile against the wealth of those who did, that points to envy that someone else had the guts to take that step while you looked on from the side.

The cost of the bureaucracy alone needed to support that level of granularity on taxation on capital gains would wipe out any possible gains from "punishing speculation".

I was looking for G8/G20 material but couldn't really find much of substance. Thanks for the link; will check it out.

I think I'm missing something here.

Routine enough. Having 6 officers there may be excessive or it may not. If anything, having more people available to take someone in reduces the risk of harm to that person, the police officers involved, and any bystanders.

No problem there. You should be able to film what you want & those in authority should be held accountable, so no problem.

...mkay...so...cops are busy busting somebody, which, sure, I guess I can give you that 0.5% chance their abusing their authority, but overwhelmingly they're likely busy, you know, keeping the peace and picking up somebody who has either committed a crime or is a suspect in a crime. So...you feel the need to irritate the people who put their ass on the line almost daily to try keep people safe?

Here's where we disconnect a bit. When you get into an intense situation like that, you need to identify and suppress the flash points in the crowd, otherwise things become really messy really fast. So, when someone strikes out at the police or throws a rock or whatever, you need to isolate that, remove it from the crowd, and deal with it. If you leave it alone, the energy starts to build up around the flash point until you eventually reach a tipping point where something snaps.

Just look at the recent Vancouver riot for examples of this. In '94 the cops got lambasted for being too harsh. So, there were reviews, changes in tactics, training, etc., contributing in a big way to the "Meet & greet" policy of showing police presence that has developed since. This year, the cops start with their meet & greet thing and try gentle crowd dispersal, see that it's simply not gonna cut it, switch into riot control mode, and you end up with a bunch of cars flipped & burned, looting, dozens of people in the hospital, thousands if not millions of dollars of damage, a PR black eye for the city, and they get hammered for not being tough enough. Damned if you & damned if you don't, but if the cops need to slap on some riot gear and take out the instigators to keep the situation from getting ugly, you bet your ass that gets my vote over being nice and cuddly and then having to deal with the consequences.

At the same time, I get it: It was an intense situation and there is a lot of controversy over how it went down. People in that level of authority and need to be held to the highest standard of integrity. While I don't know the state of mind of every single police officer who was there, I'm willing that bet that the vast majority and very likely almost every single one of them were there with an intention to keep people as safe as possible. Yes, I understand that there are exceptions and problems. Generalizing the actions of some people and simply labeling a huge group as your enemy as a result hardly fixes the problem, though.

I'm veering off course here now. What started me on that point was mostly the It's us again you now bit in your story. When you draw up battle lines like that, you only escalate the situation. What were these 6 cops doing wrong? The mandate of a police force is to enforce the laws of the jurisdiction and to protect the people within that jurisdiction. That includes protecting you. Would you rather spit in the face of someone who's charged with protecting you and make it harder for them to do their job, and find a way to keep them on task?

Most people have no idea of how much police work goes on every single day without incident. Then you get a hot situation like the G20/G8, with thousands of split second decisions that need to be made with people's safety at risk. Mistakes happen. I'm not giving cops a free pass here: Recognizing that sometimes things goes sideways in no way absolves people of responsibility for their actions. E.g. 2:20 in this clip is messed up. I don't get firing even gas canisters at someone at that close range. But for some of the other parts of that clip: I'm sorry, but you don't get to whine about police brutality when you're hurling rocks at the cops and they tackle you and toss you in a detention centre. Getting tackled to the ground and detained with an ample level of force is perfectly reasonable in a lot of situations, especially if you are resisting arrest as a lot of people were doing. And if you think that when your impromptu, temporary detention centre doesn't have a bench to sleep on, has a cold floor and only three little sandwhiches that counts as police brutality (not kidding; it's in that same clip at 1:50 - 2:20), you need a reality check.

So, you go in with the intention to irritate people charged with protecting you, draw up battle lines with them with an "us versus them" statement, and they respond with a smile and a wave and wish you on your way. This is the thing I don't get. Every single day cops get beat up, spit on, cursed and reviled, and they take it with a smile and nod. Any cop I've ever met takes that on because they believe it's worth it to keep people safe. And yet you continue to call them your enemy and obstruct them wherever you can. How does that make sense? If you think the cops need to be held to a higher standard, then work to hold them accountable. Film them, report abuse of authority or force; whatever. But this can be done in a way that supports honest policing and provides information, or in a way where you act like an immature prick that bites the hand that feeds him.

I have to say that this is some of the most level-headed discussion I have ever seen on Slashdot, and with a fairly complicated and sensitive topic at that. Well done.

Defense lawyers are more likely to be the shady ones. Prosecuting attorneys are paid by the state and try match up a crime with its perpetrator and get a fitting sentence applied. Defense attorneys may be hired by the state (if you're poor and ask for one) or hired privately by suspects ($$$ ka-ching!!!) to try every trick in the book to make sure the charges don't stick, including "technicalities".

Taking gobs of cash to try to furnish a get-out-of-jail card irrespective of actual guilt or innocence? Yea, that gets me kinda riled up. Taking a gov't salary (peanuts in comparison to defense) for trying to ensure there is a consequence to committing a crime? Notsomuch...

Wish granted...for Exchange 2010: http://exchangeserverpro.com/exchange-server-2010-owa-support-browser-matrix