B.Buxton@Planettechnologies.nl ("Ben Buxton") writes:
For starters the original explit wont work very well out of the box for most script kiddies (random source addresses -> killed by anti-spoofing)
Please put a ":-)" in when you're being humourous. That one was subtle enough that I just about laughed coffee out my nose. For the record, script kiddies (and others) encounter no significant blockage when using random source addresses. I'd estimate than less than a tenth of a percent (that's 0.1%) of edge paths use RPF, even though BCP38 states the case clearly and the technology makes it easy and there are plenty of recipes and examples available. For a truly stunning example, consider that one of the low-end members of the f-root cluster has gone 60 days since its counters were last cleared, yet... #sfo2b.f:i386# ipfw show ... 00400 39787994 2630377143 deny ip from 10.0.0.0/8 to any in 00500 38090617 2460350048 deny ip from 172.16.0.0/12 to any in 00600 24926636 1658950280 deny ip from 192.168.0.0/16 to any in ... ...it has received almost 7GBytes of rfc1918-sourced traffic in that time. I don't mean by that example to support my 0.1% assertion, but rather to show that far from filtering not-theirs on ingress, the vast majority of providers can't even filter not-anybodys on egress -- an easier problem! Don't underestimate script kiddies. If you leave a door wide open, they WILL walk through. -- Paul Vixie