John, This sort of feature could be easily added into a NAS, but I question your implementation details. If this filter was turned on by default, then this could "break" other types of services which may require source ip addresses other than the one which was negotiated to the user. This would mean that a customer could perform a flash upgrade and find that their service no longer operates (a technical support nightmare). Would you be willing to consider such a feature where it would have to be enabled (and is disabled by default) and a very well explained document with the release notes to service providers advising them of the risk of not enabling this switch?? Pat R. Calhoun e-mail: pcalhoun@usr.com Project Engineer - Lan Access R&D phone: (847) 933-5181 US Robotics Access Corp. ______________________________ Reply Separator _________________________________ Subject: Re: Re[2]: SYN floods (was: does history repeat itself?) Author: "John G. Scudder" <jgs@ieng.com> at Internet Date: 9/12/96 2:33 PM At 1:44 PM -0400 9/12/96, Curtis Villamizar wrote:
I agree with you completely -- sort of. Only problem is there are thought to be some 3,000 dial access providers. Many of them barely know what a TCP SYN is, let alone why they need to block ones with random source addresses and how. Unless of course you are ^^^^^^^^^^^^^^^^^^^^^^^^ volunteering to explain it and help them. Thanks in advance. :-) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Curtis, this is a great point. USR and other NAS vendors are actually in a great position to do exactly this, by changing their boxes to block random addresses *by default* on dial-up ports. This is of course exactly the point Vadim and others keep making, and of course as they point out there ought to be a knob to disable it if desired. Insofar as guys who "barely know what a TCP SYN is" are unlikely to twist the knobs, defaulting filtering to "block spoofed addresses" seems like the best and maybe only way to get them to do it. How about it, USR &al? --John -- John Scudder email: jgs@ieng.com Internet Engineering Group, LLC phone: (313) 669-8800 122 S. Main, Suite 280 fax: (313) 669-8661 Ann Arbor, MI 41804 www: http://www.ieng.com