Re: DDOS prevention offensive.

["Bill Larson" <blarson () compu net>]

To clarify, what I intended to say was if you filter all the IP addresses
that do not belong to you from the Ethernet side of your routers outgoing
traffic. The problems with spoofed or bogus IP addresses coming from your
net blocks go away. If all Internet connected entities did this then this
would make it possible to find and get the systems administrators to have
the zombies patched failing that the zombie machines could be null routed.
This would also assist in tracking down hackers, port scanners, and other
criminal types who currently have free reign over your network with spoofed
addresses.

Bill Larson
Network Administrator , Compu-Net Enterprises
Local:     (931) 920-0043
Toll free: (877) 920-1429
----- Original Message -----
From: "Rob Thomas" <robt () cymru com>
To: <nanog () merit edu>
Sent: Thursday, July 12, 2001 12:03 PM
Subject: Re: DDOS prevention offensive.


> ] Discuss the effect that wide spread filtering against spoofed
> ] addresses would have on the current number of DDOS attacks.
>
> I performed a statistical analysis of a collection of log files
> from one oft-targeted site.  The data therein revealed that 68%
> of all the naughty packets contained obviously bogon source
> addresses (e.g. 127/8).
>
> I wouldn't extrapolate this analysis to fit all sites.  I see
> more than enough DoS attacks were the source is not spoofed.  I
> do think such filtering would go a long way towards mitigating
> DDoS attacks.
>
> --
> Rob Thomas
> http://www.cymru.com/~robt
> cmn_err(CE_PANIC, "Out of coffee...");