On Fri, 30 Mar 2001, David Schwartz wrote:
I'm going to keep this really simple and go really slow so there's no chance of a misunderstanding.
You have a customer A. He has two customers, B and C. Your filter allows A, B, and C's assigned addresses as source addressees on the link to/from customer A.
Your customer A, receives a packet from customer B with a source address assigned to customer C. Your filter allows it even though it's spoofed. You know why that is? Because your filter can't tell a spoofed packet from an unspoofed packet.
Um... Check this out. Customer B should be filtering TOO! They know what addresses they're assigned!!!!!!!
Customer B dials up to another ISP. He gets an IP address. He sends a packet sourced with that IP address to your customer A who forwards it to you. It's not spoofed, but your filter blocks it. Do you know why that is? Because your filter can't tell a spoofed packet from an unspoofed packet.
Yes it is spoofed. If we're not announcing a route to it and and it's originating from our network (customer or not) it's SPOOFED! I don't care what you say. No inbound route equals no outbound route. Sure, in the pre-script-kiddie world, this would have been a quasi-legit packet but NOW, it's NOT! Technology exists to allow all LEGIT traffic to be properly tunneled. If they want to VPN, do it two-way. Otherwise, NIX IT!
You may be entirely happy with your filter, and it may be doing exactly what you want it to do. I won't dispute that. But the fact remains that your filter cannot tell a spoofed packet from an unspoofed packet. And there's a simple reason for this -- your filter can't tell where a packet actually originated, and that's what you need to know to tell whether it's spoofed or not.
My filter knows if we're ANNOUNCING a route to the originating address. If we're NOT, we NIX the packet. No way back -- No way from. It's that simple.
Do you understand my point yet? A filter cannot tell a spoofed packet from an unspoofed packet. We've gone back and forth about four times and this simple point still seems to elude you. I wish I liked to play the name calling game as much as you do.
I've understood all along. And you're mistaken. Filters know what you tell them. If you're announcing a route, you should accept traffic to/from it. If not, you nix it. It's that simple. As for name calling, I've exercised my weekly allotment of restraing in the past 2 hours. Get a clue, PLEASE.
DS
PS: Am I the only one who was actually a little happy the day some big name sites got hit with DDoS attacks thinking this would finally bring some attention and real solutions to the problem of DoS attacks? Am I the only one disappointed with the fact that things have not gotten significantly better since then?
Yes. You are amount an elite STUPID few who found gratification in an event that cause the REAL networks on the wire tons of grief. Your statement above has caused me to disgard any remaining respect I might have had for you because it is DUMB %^Ks like YOU that allowed it to happen in the first place. Had the attacks come from source addresses that were known to only originate from network-X, it would be easy to NIX. Because of the fact that there are so manu clueless individuals like yourself our there (and providers who are more than happy to sell you connectivity), the attack was MUCH MORE EFFECTIVE. As for things getting better, they won't until the clueless take a hint from: (1) History (2) Those of us who already have a clue. --- John Fraizer EnterZone, Inc