On Thu, Jan 12, 2006 at 11:09:13PM -0500, Steven M. Bellovin wrote:
RFC2827/BCP38?
The problem is that an ISP can do all the source filtering it wants, but if it only blocks SYNs to port 25 all it takes is one unfiltered dial-up to spoof that ISP's addresses.
On the subject of filtering and IP spoofing... In the past year, our spoofer project has collected nearly 1200 unique reports from across the Internet and we have an interesting, if not wholly representative, dataset. The latest version of our spoofer tester includes a number of new features that may be interesting to the community. One particular new feature is the ability to determine where along a tested path filtering is employed with what we're calling a "reverse traceroute" mechanism [1]. Knowing the "filtering depth" is of particular interest to us since there is an operational tension between the specificity of router-level filters and the ability to properly maintain them. We also test fun stuff such as how far into the adjacent neighbor address space the client can spoof, filtering inconsistencies, etc. We'd appreciate any runs of the spoofer tester to help us gather additional data. The client, details of the reverse traceroute as well as our "State of IP spoofing" summary results are all the web page: http://spoofer.csail.mit.edu/ Thanks, rob [1] The idea for the reverse traceroute arose from a fruitful discussion with John Curran.