Alec H. Peterson writes:
Pat Calhoun writes:
Alexis,
However if you are filtering on your outbound router to the net, there is still the possbility that a malicious user could spoof addresses as long as they belong to your address space. By moving the filter out to the edge (when you have the equipment) this eliminates that problem as well.
If it's not practical, it's not practical. If the dialin boxes haven't got the CPU to filter each customer's connection, you just have to do the next best thing. The strategy I described is the next best thing, and it's pretty far "out to the edge". However, if you're a small provider and you only filter on your boundary to the net, that's still mostly OK as far as the SYN attack problem goes. Yes, the customer can spoof in the provider's IP range, but that makes the attacks easy to trace and very easy to filter.
This is true, but if it is a valid host, the invalid SYNs will do nothing, because the source host will send a RST and the almost-connection will be torn down. And if it isn't a valid host, it will still be _much_ easier to track, because you know in general where it's coming from.
Right. You're getting into a more general issue ("what can you do if you can spoof") here, though. The answer is "lots of really nasty stuff". Just another reason to do aggressive antiforgery filtering. /a