[36188] in North American Network Operators' Group
Re: dsl providers that will route /24
daemon@ATHENA.MIT.EDU (John Payne)
Thu Mar 29 18:33:53 2001
Date: Thu, 29 Mar 2001 15:15:25 -0800
From: John Payne <john@sackheads.org>
To: David Schwartz <davids@webmaster.com>
Cc: "Eric A. Hall" <ehall@ehsco.com>, nanog@nanog.org
Message-ID: <20010329151525.L24551@haybaler.sackheads.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <NCBBLIEPOCNJOAEKBEAKAEILOBAA.davids@webmaster.com>; from davids@webmaster.com on Thu, Mar 29, 2001 at 03:08:24PM -0800
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Mar 29, 2001 at 03:08:24PM -0800, David Schwartz wrote:
>
>
> > > They could do almost exactly the same amount of damage with an
> > > unspoofed UDP flood and it would still take a human action to stop it.
> >
> > This is a false premise. I get hit with one-off attacks pretty often
> > (oversized pings against my NT boxes, etc.), which are impossible to
> > trace because of invalid source addresses.
> >
> > Source filters would mean that those attacks would be identifiable
> > period, which they are not now.
>
> Not so. You could still never be sure whether the attack was spoofed or
> not. That the address the attacks appear to come from employ source filters
> doesn't help you.
>
> At least if they're spoofed and the origin network logs packets that appear
> spoofed, the one off attack will be investigated and whatever caused it to
> happen will be actually fixed. If it's not spoofed, it won't trigger
> anything at its origin, and odds are the origin site will be unable to do
> anything because the attack may have been spoofed and there will be no local
> logs.
>
> So long as spoofing is possible, you cannot be sure where an attack came
> from unless you can either log it at its source or trace the stream to its
> source. That's the problem, and filters don't fix that.
"I don't filter spoofed packets because there are others that don't filter them"
aiming to be so good at following the crowd that you're the last person there?
--
John Payne http://www.sackheads.org/jpayne/ john@sackheads.org
http://www.sackheads.org/uce/ Fax: +44 870 0547954
To send me mail, use the address in the From: header
