Filters don't solve the problem. That I'll agree to. Filters prevent it from being MY problem when your dumbass customer has a dumbass customer who has a shell server that is r00ted and becomes a DoS source. How can you be so blind?
Please explain to me how a flood with real origin IPs hurts your pipes any less than a flood with spoofed origin IPs. Okay, you know who to call. How much does that help you if you have a T1 and the flood source is an OC48 government site, it's 6:30 PM on a Friday, the only person on-site who can access the router is just left and their ISP is not going to shutdown an OC48 government contract just to protect your T1 and your ISP doesn't want to mess with their router configuration until their Sunday morning maintenance window. I've been there. Knowing where it was coming from didn't do me a damn bit of good. So, now, how is it any less your problem if my dumbass customer has a dumbass customer who has a shell server that is r00ted and becomes a DoS source? With or without filters, the traffic has to be monitored. Suspicious flows have to be investigated. Staff has to be there to deal with the problem and the staff has to be competent. There might be real solutions to these problems. Automated hop-by-hop reverse tracing -- true source authentication -- reverse filter propogation. But none of these things will be developed or deployed if the party line is that ingress filtering is the solution to the DoS problem. How can you be so blind? DS