North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
In the same document: 4. Liabilities [...] Also, while ingress filtering drastically reduces the success of source address spoofing, it does not preclude an attacker using a forged source address of another host within the permitted prefix filter range. I.e. a single compromised host in the "permitted prefix filter range" can cause as much trouble as the current attacks. Granted, it's a bit easier to track down a host like this, but eliminating the majority of compromisable hosts is even more difficult than global implementation of the cited document. The bitter irony is that non-implementation of this draft will most probably corelate with presence of compromisable hosts. Thus host-(and firewall-)based solutions are at least as important as the ingress filtering. As of the evidence of these attacks - they were evident long before the current talking. Dima Paul Ferguson writes: > [...] > Well, this is what we [collectively] have been talking about doing > as a 'best current practice' since the attacks became evident. > > Also, see: > > [snip] > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > Title : Network Ingress Filtering > Author(s) : P. Ferguson > Filename : draft-ferguson-ingress-filtering-00.txt > Pages : 6 > Date : 10/01/1996 > [...] - - - - - - - - - - - - - - - - -
|