North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Re[4]: SYN floods (was: does history repeat itself?)
Pat Calhoun writes: > However if you are filtering on your outbound router to the net, > there is still the possbility that a malicious user could spoof > addresses as long as they belong to your address space. By moving the > filter out to the edge (when you have the equipment) this eliminates > that problem as well. I think thats less of a problem -- spoofing addresses inside the network narrows down your origin enough that you are very likely to be caught or shut down quickly. It might have an advantage in stopping ankle-biter attacks against your own equipment by your users, though. I think that agressively sanity-filtering the net at all junctions is probably a good idea in general, though. Would that we had the CPU power... (Whats needed, I think, is a cheap box that just does filtering. If it did it in hardware, it could be very fast (needed for high speed lines) and possibly even cheap. Perry - - - - - - - - - - - - - - - - -
|