Your counter suggestion does not address the issues my suggestion was intended to address. The primary issues I'm trying to address is: 1) Tracking of packets with spoofed IP address should, ideally, be automated. 2) Tracking of packets that are or may be part of DoS attacks should not be based upon origin IP because that can easily be forged. 3) Tracking of malicious packets should easily cross administrative boundaries. If you think I'm suggesting that implementing a plan like I suggested is trivial or doesn't have serious privacy and/or security implications, rest assured, I know. If you build a new protocol with new loopholes, people will work around the loopholes and we'll be back where we started. I'd ideally prefer a very solid method of tracking where packets come from. Tracing the origin of packets you will receive anyway shouldn't have privacy implications -- you're not supposed to be forgin origin IPs anway. David Schwartz On Fri, 20 Dec 1996, Alan Hannan wrote:
why even do that? i'm not sure i want you triggering security mechanisms on my routers. Especially with the overhead implications, though that is the thread we're currently in [may it die soon].
building an acl that allows packets matching those you're interested in, and applying it to 'debug ip packet ACL detail' is fairly simple.
just sit there doing 'clear ip cache A.B.C.D W.X.Y.Z'. Find the next hop it's coming from, trace it along, mail your friendly peer or transit provider, or mail your friendly hacker's admins.
granted, this is limited to the domain of routers you control, but it's pretty effective for finding out where the syn attack is coming from.
this assumes the people who are dumb enough to keep syn-ing continue to be stupid enough to use originating source addresses like 234.231.0.33.
-alan