Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: no ip forged-source-address

  • From: Barney Wolff
  • Date: Wed Oct 30 14:54:27 2002

On Wed, Oct 30, 2002 at 09:26:30PM +0200, Hank Nussbacher wrote:
> 
> Traceback would get me instantly back to the offending subnet but then it
> would take a bit of digging on the network admin to track me down and
> applying RPF checking won't help.

Sure.  But do you really want to give up a 95% solution just because
it doesn't get you the last inch?  We have no solution that will do
that.  Being able instantly to identify the subnets from which DDoS
traffic is coming would make shutting off those subnets during the
attack possible*, and that in turn would motivate the subnet owners
to clean up their hosts.

* I suspect that an attack that actually comes from 1000 compromised
hosts does not come from nearly that many subnets.  Is there any data?

As a historical note, I put SAA in the filters for the ATT Worldnet
dialup network from its very start in 1995.  Work by smb on the
dangers of spoofed source addresses was already public then.  It's
long past time for the rest of the world to catch up.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.