It's a simple fix. Just need an egress ACL. UDP packets with source IPs not from here should never make it past the edge router.

Lies, damn lies and UDP packets.

What are the reasons this has been so difficult? It seems like this must have been desirable for decades. Is the config of internal and external just tricky? Does some legitimate traffic use this so it's difficult to get everyone to switch to alternatives?

There are some incentive misalignments. Each AS that configures it is doing it to protect its neighbors, and does not benefit from itself having configured this way. Best practice suggestions only go so far.

Another aspect is, if you configure it not just with your own prefixes but also that of your peers and downstreams (and their downstreams etc), then you need a source of ground truth. (Remember that not all ASes need to announce everything they have, all the time.) This is usually an out of band database. Then you have the problem of database needing to verify the truth, and keeping all the data fresh, etc.

The article lists multiple related to how routing works. While great in concept it is nearly impossible in non residential spaces

If we can simply ask hosts to not send packets with spoofed source addresses, then surely we can just ask them not to send any DoS attacks in the first place?

Dunno, but somehow this just doesn't feel like such a realistic approach to me.

Or just uRPF enabled on the server facing SVIs in the DC. Simples.

My read was that networks where traffic originates can and should prevent spoofing (edit: that is, prevent their own networks from sending spoofed traffic, not prevent others from spoofing their addresses) via egress filtering (per BCP38), whereas the stuff about FooCorp and CloudFlare is about transit/destination networks trying to prevent spoofing via ingress filtering. Did I misunderstand something?

I feel the same way, but I worry that ISPs won't ever change unless they're forced to. I'm starting to wonder if Google should just stop accepting (or start delaying?) traffic to or from ISPs that allow spoofed traffic. I mean it doesn't feel hard to test.

On the one hand I already avoid Google because they're getting uncomfortably large, but on the other hand I feel like it's going to take a company of Google's size to take a stand, or regulatory changes, before anything will change for the better here.

It worked for improving the SSL situation and for distrusting bad CAs, didn't it? Non-rhetorical question, it feels like it did to me.

Why Google?

Merely because they're big enough to throw their clout around, which could be a good thing or bad thing depending on how you view it.

Could also be Apple, or Amazon, or maybe Netflix. Any large enough company really.

Why company? Why not one of these organisations:

https://en.wikipedia.org/wiki/List_of_telecommunications_reg...

for example?

Do you think IPv6 will change things for the better?

Not if I can spoof my IP6 address as easily as I can spoof an IP4 one, nope.

One thing about IPv6 is that you cannot scan the entire address range looking for open (memcached or other) servers like you can with IPv4.

Turns out that is not as true as you would think in practice.. you can reduce the search space significantly because of known IPv6 prefixes, EUI-64, a MAC address database and trying a few additional likely addresses such as ::1 ::fffe etc

Not sure what the original source I read on it was, but you can try this: https://www.internetsociety.org/blog/2015/02/ipv6-security-m...

But servers will almost certainly have a DNS entry. So they aren't really hidden in the immensity of the address space.

Would they be publicly resolvable? And even if they are, how would you find the name? Wouldn't a lot of these machines be internal infrastructure of various companies?