In the same document: 4. Liabilities [...] Also, while ingress filtering drastically reduces the success of source address spoofing, it does not preclude an attacker using a forged source address of another host within the permitted prefix filter range. I.e. a single compromised host in the "permitted prefix filter range" can cause as much trouble as the current attacks. Granted, it's a bit easier to track down a host like this, but eliminating the majority of compromisable hosts is even more difficult than global implementation of the cited document. The bitter irony is that non-implementation of this draft will most probably corelate with presence of compromisable hosts. Thus host-(and firewall-)based solutions are at least as important as the ingress filtering. As of the evidence of these attacks - they were evident long before the current talking. Dima Paul Ferguson writes:
[...] Well, this is what we [collectively] have been talking about doing as a 'best current practice' since the attacks became evident.
Also, see:
[snip]
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Network Ingress Filtering Author(s) : P. Ferguson Filename : draft-ferguson-ingress-filtering-00.txt Pages : 6 Date : 10/01/1996 [...]