At 05:32 PM 10/2/96 -0400, Dima Volodin wrote:
Anyway, filtering packets with SRC addresses known to generate ICMP_UNREACH at the earliest possible stage might be a good idea.
Well, this is what we [collectively] have been talking about doing as a 'best current practice' since the attacks became evident. Also, see: [snip] A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Network Ingress Filtering Author(s) : P. Ferguson Filename : draft-ferguson-ingress-filtering-00.txt Pages : 6 Date : 10/01/1996 Recent occurrences of various Denial of Service attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective and straightforward method for using ingress traffic filtering to deny attacks which use "invalid" source addresses; prefixes which are not being legitimately advertized to the Internet via a particular service provider gateway. [snip] Once the document is revised to an acceptable [rough consensus] draft, I'd like to see it become published as a BCP. - paul