IP: more on Internet Attacks and Critical Infrastructure Protectio n]

[Dave Farber <farber () cis upenn edu>]

> X-Mailer: exmh version 2.1.1 10/15/1999
> From: "Steven M. Bellovin" <smb () research att com>
> To: Dave Farber <farber () cis upenn edu>
> \
>
> Dave -- someone forwarded to me Stewart Baker's comments on network
> authentication.  I think there's a serious misunderstanding of what happened.
>
> Fundamentally, this latest round of attacks was on the recipient's network
> bandwidth.  Very few of the packets actually reached the destination; whether
> or not they were authenticatable was completely irrelevant to the attacker.
> The packets did their harm just by the attempt to deliver them to the 
> victim.
> In fact, mandatory authentication could make things worse, by creating new
> denial of service attacks.  After all, cryptographic authentication is
> expensive, while emitting random packets is not.
>
> To be sure, ISPs can and should deploy anti-spoof filters on their access
> routers.  (This is an IETF Best Current Practice, as spelled out in RFC 
> 2267.)
> By blocking forged source addresses, attacks can easily be blocked or traced
> back to their origin.  And doing this does not hurt customer privacy, since
> the source ISP already must know all legal addresses for each customer.
>
>
>                 --Steve Bellovin