Re: Defeating DoS Attacks Through Accountability

[Valdis.Kletnieks () vt edu]

On Sat, 11 Nov 2000 11:27:20 EST, Mark Mentovai said:
> Not so fast, there are situations when you are authorized to have a certain
> chunk of address space but elect not to advertise it a certain way for
> whatever reason.  Maybe someone has a pipe that they want to use for
> outbound traffic only and they don't want to use it at all inbound traffic,
> and as a result, they don't advertise their routes across it.  What
> justification do you use for dropping traffic that falls into this category?

It's a general principle.

Anyhow, they're going to get damned little inbound traffic unless they
announce a route for it to *someplace*.   I think the original *general*
policy was "If we don't have ANY route for it, we don't accept the traffic",
which sort of makes sense - how would you get through a TCP 3-way handshake
if the SYN+ACK always got back a ICMP Host Unreachable?  I saw no requirement
that the routing not be assymetric, only that routing exist.

I'm sure Mark Prior will correct me if I mis-read him... ;)

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description: