RE: no ip forged-source-address

["H. Michael Smith, Jr." <michael () awtechnologies com>]

If you go back to the thread, you'll see that I was responding to the
idea that using src-addr verification would not prevent someone from
spoofing addresses on his/own own subnet.  Others pointed out that while
this might hide the true offender, it would still make the DoS attack
easier to mitigate because the src addresses would indicate the network
from which the attack originated (if not the actual hosts).  Some folks
didn't seem to appreciate the value here, therefore I asserted that
there is a specific difference between packets with virtually random src
addrs, and packets that passed through src-addr filters.  The first set
are not traceable and src addresses generally useless, while the 2nd set
have src addresses that can be used to trace to at least the attack's
source network.

As for your confusion, I am not sure that I can help with that. :-)



-----Original Message-----
From: Christopher L. Morrow [mailto:chris () UU NET] 
Sent: Thursday, October 31, 2002 1:21 AM
To: H. Michael Smith, Jr.
Cc: 'Hank Nussbacher'; variable () ednet co uk; nanog () nanog org
Subject: RE: no ip forged-source-address



On Wed, 30 Oct 2002, H. Michael Smith, Jr. wrote:

> A fundamental effect of spoofing addresses from your local subnet is
> that when the packets reach their target, the source addresses are
> meaningful.  I realize that the traceability of these packets has
> already been mentioned, but I want to point out the profound
difference
> between a DDoS attack with meaningful vs. meaningless source
addresses.
>

I'm confused.. its still a DoS attack, eh??