On Thu, Mar 29, 2001 at 07:46:44PM -0800, Steve Noble wrote:
On Thu, Mar 29, 2001 at 10:14:54PM -0500, Greg A. Woods wrote:
Filtering illegal source addresses, and monitoring your filters, will eliminate *all* possibility of being the source of a spoofed DoS against someone else. Absolutely, positively, guaranteed. No ifs, ands, or buts. There really is no valid excuse any more for not doing it.
Other then software limitations, routers and switches which can't handle this kind of load, the inability to always know what packets are spoofed.
If a global transit free network can ingress filter all of their customers, without CPU or other logistic problems, I'd be surprised if the majority of ISPs on this list can't do otherwise. OK, if you're UUNET and providing connectivity to a load of ISPs, you might not be able to filter those customers, but you can require that they filter their customers.
Exactly -- the problem is there's no good way to tell a spoofed packet from an unspoofed packet. Some form of source authentication would solve that.
Every packet with a source address that's not assigned to the customer who it is arriving from *IS* a spoofed packet, regardless of *why* it has an errant address. They must all be filtered regardless of content or purpose! The sooner your customers realise their configuration errors, the better (and the happier they'll be!).
Now that's a very broad statment that's just not true. There are reasons that packets with a source address not assigned to an ISP may come across the link and be valid, look at DirectPC.
"Apart from the address block we've assigned you, will you be using addresses in netblocks of other providers? For example, you might have a connection to another ISP, or you might be using DirectPC"
Past that if the customer has customers who have blocks assigned from other providers, this becomes a huge and almost impossible to manage real-time list. Big filter lists hit router cpu's, and cost human time. And remember this isn't like filtering BGP customers where if the route doesn't get through it's not always a big deal, you are _dropping_ packets that may be valid.
And the CPU cost is tiny. Netflow switching reduces it even more. -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header