McBurnett, Jim wrote:
if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or only permitted inbound UDP in direct response to prior valid outbound UDP, would rob really have seen a ~140Khost botnet this year?
In a sense, I would agree with you. The best method for what you describe is, of course, NAT. However, I can think of a lot of protocols that won't work with it properly. While a large portion of the userbase doesn't notice, vendors trying to put out products with these protocols do notice and their technologies are delayed as a result. In addition, your logic will not stop bots installed via email. It doesn't have to be a worm. Enough end users will click the exe themselves despite the fact they have no clue what it is or who it's from. They are curious, so they open it. Each week, I have to explain to a user who's account I suspended that curiousity killed the cat. I Gigs of executables from email to help protect the majority of our user base, and yet they go to some webmail provider to get infected or just sit on irc or accept files across instant messenger. So much for network security. Now they have a bot sitting behind NAT with a source started irc uplink for commands. It's a good thing my network is multi-staged spoof protected both ways. -Jack