On Thu, Mar 29, 2001 at 03:08:24PM -0800, David Schwartz wrote:
They could do almost exactly the same amount of damage with an unspoofed UDP flood and it would still take a human action to stop it.
This is a false premise. I get hit with one-off attacks pretty often (oversized pings against my NT boxes, etc.), which are impossible to trace because of invalid source addresses.
Source filters would mean that those attacks would be identifiable period, which they are not now.
Not so. You could still never be sure whether the attack was spoofed or not. That the address the attacks appear to come from employ source filters doesn't help you.
At least if they're spoofed and the origin network logs packets that appear spoofed, the one off attack will be investigated and whatever caused it to happen will be actually fixed. If it's not spoofed, it won't trigger anything at its origin, and odds are the origin site will be unable to do anything because the attack may have been spoofed and there will be no local logs.
So long as spoofing is possible, you cannot be sure where an attack came from unless you can either log it at its source or trace the stream to its source. That's the problem, and filters don't fix that.
"I don't filter spoofed packets because there are others that don't filter them" aiming to be so good at following the crowd that you're the last person there? -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header