Sean Donelan wrote:
Or is this a case, if we had thought about it, we would have prohibited it at the start; but now its in the wild we don't know how to get it back in the barn.
Mmmm... we got onto this argument by someone implying we wouldn't need this sort of defensive technique (ICMP rate limiting on egress) if source-spoofed weren't transmittable (or weren't widely transmittable). I agree. However as you are demonstrating, whilst getting to this utopia would be great, getting there will take a long time. I'm sure we *might* also fix DoS attacks using some sort of interprovider MPLS or like to provide QoS negotiation (and that'll also give you non-destination based routing) .... and I bet that even if this could be got to work, it would take even longer. In the mean time, ICMP rate limiting is here now and deployable for most people at these exchangepoints today. -- Alex Bligh GX Networks (formerly Xara Networks)