Curtis Villamizar <curtis@ans.net> wrote:
2. Filter based on source address on inbound packets from singly homed sites.
A singly homed site cannot have assymetric routing since there is no ohter path.
The site does not have to be single-homed for filtering to be applicable. If you relax criteria for reverse-route filtering to "known route" instead of "best route" then any customer (non-transit) AS can be filtered safely at border routers. Making that the default behaviour on customer-access routers would eliminate scource-address spoofing completely. As a remark -- the SYN flooding attack is by far not the only one which benefits from source address spoofing. There are far more destructive attacks (like, resetting BGP sessions; or Steve Bellovin's blind TCP spoofing) which do not require high packet voulmes and therefore are not easily traceable. As for traceability -- fat load of good it does to you if you discover that the hacker was smart enough to use an unprotected box somewhere in Taiwan or Brazil as a staging poing for attack. I've had situations when i traced attacks to places like that and was anything but unable to explain local sysadmins what i wanted from them. Simply because they don't speak English at all. There are places where they simply don't have any laws in regard to computer crime, and no Interpol offices. Any really malicious attacker with more than two neurons would be out of your reach, and unhindered. BTW, the enforcement of source address authenticity allows for automated SYN flooding attack defenses -- if your host sees a stream of SYNs at a rate more than X pps it simply starts to ignore the SYNs from that particular source! (A simple algorithm would take care of roaming sources within some network -- you just sort SYNs by buckets of different sizes and shut down those which have SYN rate counts higher than some threshold). --vadim