On Thu, 12 Jul 2001, Bill Larson wrote:
Well to sum it up in one sentence. If you eliminate the bogus addresses, you can then target the actual zombie machines used to attack the site and eventually eliminate the risk via patching or null route them. So filtering bogus addresses, non-routable addresses, and the addresses, which do not belong to your net blocks, would serve to combat the denial of service attacks.
I'm going to go way out on a limb here and say: 1) I would prefer all attacks use spoofed sources (cause I can track it across my net in 2 minutes) 2) So what if you track it back to 8000 compromised windows machines?? what are you going to do? Ok, that said, think about this: Today we have 1 or 2 or 3 spoofing boxes per attack (on average), if there are 8000 IIS boxes pinging one 64k ping per second you can really rack up the bandwidth fast. There is a list of 8800 hosts on attrition.org that could very easily be used in this manner. Do not believe that stopping spoofed sources will magically make DoS or DDoS go away, it won't. The only thing stopping spoofed packets will do is shift the attacks to larger networks of machines controlled through more intelligent channels... -Chris