Re: New Denial of Service Attack on Panix

[dvv () sprint net (Dima Volodin)]

In the same document:

        4. Liabilities

        [...]

           Also, while ingress filtering drastically reduces the
           success of source address spoofing, it does not preclude an
           attacker using a forged source address of another host
           within the permitted prefix filter range.


I.e. a single compromised host in the "permitted prefix filter range"
can cause as much trouble as the current attacks. Granted, it's a bit
easier to track down a host like this, but eliminating the majority of
compromisable hosts is even more difficult than global implementation of
the cited document. The bitter irony is that non-implementation of this
draft will most probably corelate with presence of compromisable hosts.

Thus host-(and firewall-)based solutions are at least as important as
the ingress filtering.

As of the evidence of these attacks - they were evident long before the
current talking.

Dima

Paul Ferguson writes:
>  [...]
> Well, this is what we [collectively] have been talking about doing
> as a 'best current practice' since the attacks became evident.
>
> Also, see:
>
> [snip]
>
>
>  A New Internet-Draft is available from the on-line Internet-Drafts 
>  directories.                                                              
>
>        Title     : Network Ingress Filtering                               
>        Author(s) : P. Ferguson
>        Filename  : draft-ferguson-ingress-filtering-00.txt
>        Pages     : 6
>        Date      : 10/01/1996
> [...]
- - - - - - - - - - - - - - - - -