Re: dsl providers that will route /24

[John Payne <john () sackheads org>]

On Thu, Mar 29, 2001 at 03:08:24PM -0800, David Schwartz wrote:
> > > They could do almost exactly the same amount of damage with an
> > > unspoofed UDP flood and it would still take a human action to stop it.
> >
> > This is a false premise. I get hit with one-off attacks pretty often
> > (oversized pings against my NT boxes, etc.), which are impossible to
> > trace because of invalid source addresses.
> >
> > Source filters would mean that those attacks would be identifiable
> > period, which they are not now.
>
>       Not so. You could still never be sure whether the attack was spoofed or
> not. That the address the attacks appear to come from employ source filters
> doesn't help you.
>
>       At least if they're spoofed and the origin network logs packets that appear
> spoofed, the one off attack will be investigated and whatever caused it to
> happen will be actually fixed. If it's not spoofed, it won't trigger
> anything at its origin, and odds are the origin site will be unable to do
> anything because the attack may have been spoofed and there will be no local
> logs.
>
>       So long as spoofing is possible, you cannot be sure where an attack came
> from unless you can either log it at its source or trace the stream to its
> source. That's the problem, and filters don't fix that.

"I don't filter spoofed packets because there are others that don't filter them"
aiming to be so good at following the crowd that you're the last person there?

-- 
John Payne      http://www.sackheads.org/jpayne/    john () sackheads org
http://www.sackheads.org/uce/                    Fax: +44 870 0547954
        To send me mail, use the address in the From: header