North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: no ip forged-source-address
- From: Barney Wolff
- Date: Wed Oct 30 14:54:27 2002
On Wed, Oct 30, 2002 at 09:26:30PM +0200, Hank Nussbacher wrote:
> Traceback would get me instantly back to the offending subnet but then it
> would take a bit of digging on the network admin to track me down and
> applying RPF checking won't help.
Sure. But do you really want to give up a 95% solution just because
it doesn't get you the last inch? We have no solution that will do
that. Being able instantly to identify the subnets from which DDoS
traffic is coming would make shutting off those subnets during the
attack possible*, and that in turn would motivate the subnet owners
to clean up their hosts.
* I suspect that an attack that actually comes from 1000 compromised
hosts does not come from nearly that many subnets. Is there any data?
As a historical note, I put SAA in the filters for the ATT Worldnet
dialup network from its very start in 1995. Work by smb on the
dangers of spoofed source addresses was already public then. It's
long past time for the rest of the world to catch up.
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.