|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: no ip forged-source-address
On Wed, Oct 30, 2002 at 09:26:30PM +0200, Hank Nussbacher wrote: > > Traceback would get me instantly back to the offending subnet but then it > would take a bit of digging on the network admin to track me down and > applying RPF checking won't help. Sure. But do you really want to give up a 95% solution just because it doesn't get you the last inch? We have no solution that will do that. Being able instantly to identify the subnets from which DDoS traffic is coming would make shutting off those subnets during the attack possible*, and that in turn would motivate the subnet owners to clean up their hosts. * I suspect that an attack that actually comes from 1000 compromised hosts does not come from nearly that many subnets. Is there any data? As a historical note, I put SAA in the filters for the ATT Worldnet dialup network from its very start in 1995. Work by smb on the dangers of spoofed source addresses was already public then. It's long past time for the rest of the world to catch up. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
|