On Thu, 29 Mar 2001, David Schwartz rambled on as if he had a CLUE about:
Source filters would mean that those attacks would be identifiable period, which they are not now.
Not so. You could still never be sure whether the attack was spoofed or not. That the address the attacks appear to come from employ source filters doesn't help you.
David, you're only showing the WHOLE WORLD that you DON'T KNOW WHAT THE ^#&* YOU'RE TALKING ABOUT!!!!!! If someone tries to source an address we don't allow, it DIES INSIDE OUR NETWORK *AND LOGS AN ATTEMPT*!!! Lets look at this. It *DID NOT* make it out to the global internet and it *DID* catch our attention. *WIN WIN SITUATION*!!!!!!!!! Tell me where I'm wrong. PLEASE!
At least if they're spoofed and the origin network logs packets that appear spoofed, the one off attack will be investigated and whatever caused it to happen will be actually fixed. If it's not
You can NOT be this uneducated, can you? How can ALLOWING the attack to take place by not filtering be any better than BLOCKING it and seeing in the logs that it was attempted and thumping the appropraite customer? I've watched this go on for a week and I've come to the (hopefully mistaken) conclusion that you're just a lazy ass who refuses to do PREVENTATIVE filtering in hopes that there won't be a problem. The ONLY reason you could have for NOT filtering is that you hope that the NOC of the network being DoS'd will be able to track YOUR network down as a source and THUMP you their self! Either that or your customers are such dumb %&cks that they can't manage to tell you what source IP's they'll have.... In which case, THEY SHOULD BE FILTERED 100x over to begin with!
spoofed, it won't trigger anything at its origin, and odds are the origin site will be unable to do anything because the attack may have been spoofed and there will be no local logs.
What are you talking about? LOG AT INGRESS!!!! Investigate the logs. It's that simple. You just seem too %&*#^%#* lazy to do so.
So long as spoofing is possible, you cannot be sure where an attack came from unless you can either log it at its source or trace the stream to its source. That's the problem, and filters don't fix that.
Son, spoofing is possible AS LONG AS INGRESS CONNECTIONS ARE NOT FILTERED BY SOURCE ADDRESS! I'm tired and bored of people like you. Plain and simple. Consider yourself filtered as a preventative measure.
DS
My sentiments EXACTLY. --- John Fraizer EnterZone, Inc