If you go back to the thread, you'll see that I was responding to the idea that using src-addr verification would not prevent someone from spoofing addresses on his/own own subnet. Others pointed out that while this might hide the true offender, it would still make the DoS attack easier to mitigate because the src addresses would indicate the network from which the attack originated (if not the actual hosts). Some folks didn't seem to appreciate the value here, therefore I asserted that there is a specific difference between packets with virtually random src addrs, and packets that passed through src-addr filters. The first set are not traceable and src addresses generally useless, while the 2nd set have src addresses that can be used to trace to at least the attack's source network. As for your confusion, I am not sure that I can help with that. :-) -----Original Message----- From: Christopher L. Morrow [mailto:chris@UU.NET] Sent: Thursday, October 31, 2002 1:21 AM To: H. Michael Smith, Jr. Cc: 'Hank Nussbacher'; variable@ednet.co.uk; nanog@nanog.org Subject: RE: no ip forged-source-address On Wed, 30 Oct 2002, H. Michael Smith, Jr. wrote:
A fundamental effect of spoofing addresses from your local subnet is that when the packets reach their target, the source addresses are meaningful. I realize that the traceability of these packets has already been mentioned, but I want to point out the profound
difference
between a DDoS attack with meaningful vs. meaningless source addresses.
I'm confused.. its still a DoS attack, eh??
participants (1)
-
H. Michael Smith, Jr.