On Fri, 17 Mar 2006 ennova2005-nanog@yahoo.com wrote:
That ISPs still do not filter inbound traffic from their customers to prevent source spoofing is amazing.
Heck, some people still can't get reverse DNS setup correctly for their IP addresses. And in-addr.arpa has been around for decades.
host Host not found: 3(NXDOMAIN)
The problem with relying on address anti-spoofing is it doesn't matter how many ISPs prevent spoofing because it only requires one opening (plus a bad guy, plus bad computers, plus uncontrolled reflectors). While its a good idea to make the spoofing openings as small as possible, within your own network anti-spoofing is very useful, you also need other management controls. This goes beyond an individual protocol such as DNS. You can generate blowback with many different protocols. Technology can take you only so far, you also have to address the human element too. 1. Bad guys 2. Compromised computers (a few are really "owned" by the bad guys too) 3. Spoofable source addresses (the bad guys "own" their own ISPs too) 4. Open reflectors without rate limits