toward their customers. Reasons inc

toward their customers. Reasons include higher cost of operation (since SAV burns some energy and
requires extra training and monitoring), but the big reason why SAV isn’t the default is: SAV benefits
only other people’s customers, not an operator’s own customers.
There is no way to audit a network from outside to determine if it practices SAV. Any kind of
compliance testing for SAV has to be done by a device that’s inside the network whose compliance
is in question. That means the same network operator who has no incentive in the first place to
deploy SAV at all is the only party who can tell whether SAV is deployed. This does not bode well
for a general improvement in SAV conditions, even if bolstered by law or treaty. It could become
an insurance and audit requirement in countries where insurance and auditing are common, but
as long as most of the world has no reason to care about SAV, it’s safe to assume that enough of the
Internet’s edge will always permit packet-level source-address forgery, so that we had better start
learning how to live with it—for all eternity.
While there are some interesting problems in data poisoning made possible by the lack of SAV, by
far the most dangerous thing about packet forgery is the way it facilitates DDoS (distributed denial
of service).2 If anybody can emit a packet claiming to be from anybody else, then a modest stream of
requests by an attacker, forged to appear to have come from the victim, directed at publicly reachable
and massively powerful Internet servers, will cause that victim to drown in responses to requests
they never made. Worse, the victim can’t trace the attack back to where it entered the network and
has no recourse other than to wait for the attack to end, or hire a powerful network-security vendor
to absorb the attack so that the victim’s other services remain reachable during the attack.3
DOMAIN NAME SYSTEM RESPONSE RATE LIMITING
During a wave of attacks a few years ago where massively powerful public DNS (Domain Name
System) servers were being used to reflect and amplify some very potent DDoS attacks, Internet
researchers Paul Vixie and Vernon Schryver developed a system called DNS RRL (Response Rate
Limiting) that allowed the operators of the DNS servers being used for these reflected amplified
attacks to deliberately drop the subset of their input request flow that was statistically likely to
be attack-related.4 DNS RRL is not a perfect solution, since it can cause slight delays in a minority
of normal (non-attack) transactions during attack conditions. The DNS RRL tradeoff, however, is
obviously considered a positive since all modern DNS servers and even a few IPS/IDS (intrusion
protection system/intrusion detection system) products now have some form of DNS RRL, and many
TLD (top-level domain) DNS servers are running DNS RRL. Operators of powerful Internet servers
must all learn and follow Stan Lee’s law (as voiced by Spider-Man): “With great power comes great
responsibility.”
DNS RRL was a domain-specific solution, relying on detailed knowledge of DNS itself. For
example, the reason DNS RRL is response rate limiting is that the mere fact of a question’s arrival does
not tell the rate limiter enough to make a decision as to whether that request is or is not likely to be
part of an attack. Given also a prospective response, though, it is possible with high confidence to
detect spoofed-source questions and thereby reduce the utility of the DNS server as a reflecting DDoS
amplifier, while still providing “good enough” service to non-attack traffic occurring at the same
time—even if that non-attack traffic is very similar to the attack.
The economics of information warfare is no different from any other kind of warfare—one seeks
to defend at a lower cost than the attacker, and to attack at a lower cost than the defender. DNS RRL