On Wed, 28 Jul 1999, Jeremy Porter wrote:
You can at least conclusively show who is transporting the invalid-source-address-packets to the endpoint. That is, conclusively show that the next-to-last-hop isnt properly filtering. But that doesn't really do any good. They have valid reasons for not running IP verify unicast reverse path on their backbone routers due to asymetric routing.
Note I wasnt talking about RPF I was talking about bogons. The last few smurf attacks I saw, bogons were a large percentage of total smurf volume.
Maybe we should ask Cisco for a "no ip bogons" command.
Would be nice especially if it defaulted to on (like current 'no directed-broadcast').
Yes it would be good to filter. Maybe it should even be a BCP. Maybe the next router requirements should require routers to filter bogons at wire rate.
Well for terminal servers this should certainly be a reasonable requirement. An option to disconnect any port which is found to be sourcing invalid addresses would be excellent. It would certainly be a deterrent to the script kiddies if they knew each time they fired up the smurfer, that they automatically lose their connection.
Interprovider cooperation to track and filter the packets is the correct solution, however difficult it might be.
And how many years have we been screaming about this with no progress. There seems to be zero incentive for interprovider cooperation. We need to give them incentive. But what? -Dan