Adrian wrote:
But this way, people can only spoof IPs from their own block, and not random addresses. It would kill smurf attacks, make tracing a tad(?) easier, etc, etc. And as I've mentioned before, not all types of floods are ICMP attacks. If you filter ICMP, then I'll start flooding with spoofed source addresses TCP packets with random sequence numbers and from IPs. What, you're going to ask routers to track all the TCP connections going through them now for validation? Erm, how many CPUs more are we going to need..? :)
Something else that needs to be done is we need DEFAULT anti-spoof filters on all dialin boxes such as those made by Livingston, Ascend, USR, etc. When a customer calls in and gets assigned an IP address the box should automatically apply an anti-spoof filter to that port dropping any packets with an IP source different than the one assigned. Of course you need a way to overide that for customers who have networks routed to them. The box could the RADIUS "Framed-Route" entry as a hint to which networks to forward IPs from. I've had an RFE in with Livingston for over a year to get that added to ComOS. Dax Kelson Internet Connect, Inc.