On Thu, Mar 29, 2001 at 10:14:54PM -0500, Greg A. Woods wrote:
Filtering illegal source addresses, and monitoring your filters, will eliminate *all* possibility of being the source of a spoofed DoS against someone else. Absolutely, positively, guaranteed. No ifs, ands, or buts. There really is no valid excuse any more for not doing it.
Other then software limitations, routers and switches which can't handle this kind of load, the inability to always know what packets are spoofed.
Exactly -- the problem is there's no good way to tell a spoofed packet from an unspoofed packet. Some form of source authentication would solve that.
Every packet with a source address that's not assigned to the customer who it is arriving from *IS* a spoofed packet, regardless of *why* it has an errant address. They must all be filtered regardless of content or purpose! The sooner your customers realise their configuration errors, the better (and the happier they'll be!).
Now that's a very broad statment that's just not true. There are reasons that packets with a source address not assigned to an ISP may come across the link and be valid, look at DirectPC. Past that if the customer has customers who have blocks assigned from other providers, this becomes a huge and almost impossible to manage real-time list. Big filter lists hit router cpu's, and cost human time. And remember this isn't like filtering BGP customers where if the route doesn't get through it's not always a big deal, you are _dropping_ packets that may be valid.
Yes customers should do anti-spoofing filtering on both source and destination addresses too, but that does not in any way excuse any provider from doing likewise on *all* edge connections.
I'm guessing you talk to a lot of router vendors and listen to their half-truths about their filtering abilities. It's one thing to filter one customer, it's another to filter hundreds of customers utilizing hundreds or thousands of blocks on a single device, just the looking at the configuration becomes a nightmare. Also there's a big difference between an edge device pushing a few megs and one pushing many gigs when it comes to any type of packet filtering. -- ------------------------------------------------------------------------------- : Steven Noble / Network Janitor / Be free my soul and leave this world alone : : My views = My views != The views of any of my past or present employers : -------------------------------------------------------------------------------