Thats all well and good if you are going to have someone monitor the logs of these packets 24x7, but if you have a customer get hacked and start spewing shitloads of spoofed sourced packets at various networks (Insert your favorite DDOS Drone here), then the damage is high, immediate, and done by the time you notice it in most cases.
Jason
They could do almost exactly the same amount of damage with an unspoofed UDP flood and it would still take a human action to stop it. The attack can still hop from victim to victim until the problem is stopped at its source. The problem still won't get stopped at its source until someone with the ability to stop it is summoned and alterted to the problem. Odds are, an attacker will used spoofed packets if he can. potentially spoofed packets will trigger an investigation on my network. An unspoofed UDP flood probably won't (especially if it hops from victim to victim). So if the attacker uses spoofed packets, he may get cut off at the source (and the problem actually solved) sooner. On the other hand, unspoofed packets will probably trigger a call to the administration of the source network faster. Of course, you don't know that attack is unspoofed, so you really can't be sure what the source is. The important thing to realize is that neither of these situations is ideal. That is, filters don't solve the problem. We need to acknowledge that we have a problem and don't have a solution to it. Only then will the problem be analyzed, solutions proposed, and implemented. One possibility is a hop-by-hop reverse tracing protocol. Another possibility is some form of source authentication. For unspoofed floods, the solution may be a way to 'push' a filter up a chain of routers. I don't know, I'm not smart enough to solve the problem by myself. All I can do is keep yelling as loudly as I can that there is a problem and that we do need a really good solution. DS