8 Oct
2002
8 Oct
'02
10:40 a.m.
On Tue, 8 Oct 2002, Kelly J. Cooper wrote:
Also, egress filtering is NOT easy,
I don't care. And it doesn't have to be egress filtering as such, filtering packets you receive from your customers will work just as well.
Plus, lots of attacks these days are mixing spoofed and legit traffic, or doing limited spoofing (i.e. picking random addresses on the LAN where they originate to make it past filters).
What's your point? That because someone can do bad thing #1 that can't be prevented, we should allow them to do bad thing #2 that can? If they use (semi-) legitmate addresses, at the very least I can track them and with some effort I can filter them. If they spoof then I can't do anything. This is not acceptable.