|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003, hc wrote: > > > > > >> > > > > Good point. > > > > I suppose another basic but effective method of prevention would be > > egress filtering. An increasing minority of network providers are > > instituting it, but it doesn't seem like it will be a widespread thing > > in the near-term. > > > > Yes, but egress filtering is only effective by far. Anyone can forge the > source to an IP address that belongs to one of the /16's a provider > advertises. filter close to the end host, this limits (mostly) to the local /24 or /25 or /2(>5)... > > It will help of course, but really not The solution... Or is there one? > haha, there isn't one :( since even with no spoofing you can muster an army of 100,000 IIS servers still scanning for nimda :( |