[4136] in linux-net channel archive
Re: SYN floods
daemon@ATHENA.MIT.EDU (Racer X)
Thu Aug 22 02:37:33 1996
Date: Wed, 21 Aug 1996 23:44:30 -0400 (EDT)
From: Racer X <shagboy@wspice.com>
Reply-To: shagboy@bluesky.net
To: Alan Cox <alan@cymru.net>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <199608200847.JAA26868@snowcrash.cymru.net>
On Tue, 20 Aug 1996, Alan Cox wrote:
> What is supposed to solve it is that a) any competent provider and
> backbone providers links should be filtering frames with a bogus source
> address and b) because of that you know where the frames really came
> from.
How do you know what's bogus and what's not? How would a typical
backbone router know that xx.yy.zz.2 (where xx.yy.zz is my class C) is
valid, but xx.yy.zz.3 is not?
That's pretty picky I know - so let's assume that the router passes the
entire class C. But when I get a new class C that I can pass out to
clients, how do I make sure the changes are propagated to all the
backbones?
Moreover, I can SAY I come from anywhere, and I can easily put a
legitmate address in. So this wouldn't really solve the problem at hand
anyway.
> A provider not filtering bogus source addresses deserves (IMHO) to go
> down in flames in court as negligent if their failure to do this kind
> of basic filtering for the good of the net as a whole causes problems.
This is a little extreme. I'd much rather take the burden of filtering
on myself rather than have my provider decide what's best for me. That
sounds too much like something the government would do.
Filtering out a 10.x.x.x address is legitimate; that's clearly marked as
"reserved for private networks". Filtering out "bogus" addresses is
not. (and incidentally, has anyone else noticed the fact that many
backbone routers DON'T filter out those RFC designated addresses?)
shag
Judd Bourgeois | When we are planning for posterity,
shagboy@bluesky.net | we ought to remember that virtue is
Finger for PGP key | not hereditary. Thomas Paine
