[36228] in North American Network Operators' Group
RE: dsl providers that will route /24
daemon@ATHENA.MIT.EDU (David Schwartz)
Fri Mar 30 06:09:13 2001
From: "David Schwartz" <davids@webmaster.com>
To: "John Fraizer" <nanog@Overkill.EnterZone.Net>
Cc: <nanog@nanog.org>
Date: Fri, 30 Mar 2001 03:05:39 -0800
Message-ID: <NCBBLIEPOCNJOAEKBEAKCEKOOBAA.davids@webmaster.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.LNX.4.21.0103300522200.9647-100000@Overkill.EnterZone.Net>
Errors-To: owner-nanog-outgoing@merit.edu
I'm going to keep this really simple and go really slow so there's no
chance of a misunderstanding.
You have a customer A. He has two customers, B and C. Your filter allows A,
B, and C's assigned addresses as source addressees on the link to/from
customer A.
Your customer A, receives a packet from customer B with a source address
assigned to customer C. Your filter allows it even though it's spoofed. You
know why that is? Because your filter can't tell a spoofed packet from an
unspoofed packet.
Customer B dials up to another ISP. He gets an IP address. He sends a
packet sourced with that IP address to your customer A who forwards it to
you. It's not spoofed, but your filter blocks it. Do you know why that is?
Because your filter can't tell a spoofed packet from an unspoofed packet.
You may be entirely happy with your filter, and it may be doing exactly
what you want it to do. I won't dispute that. But the fact remains that your
filter cannot tell a spoofed packet from an unspoofed packet. And there's a
simple reason for this -- your filter can't tell where a packet actually
originated, and that's what you need to know to tell whether it's spoofed or
not.
Do you understand my point yet? A filter cannot tell a spoofed packet from
an unspoofed packet. We've gone back and forth about four times and this
simple point still seems to elude you. I wish I liked to play the name
calling game as much as you do.
DS
PS: Am I the only one who was actually a little happy the day some big name
sites got hit with DDoS attacks thinking this would finally bring some
attention and real solutions to the problem of DoS attacks? Am I the only
one disappointed with the fact that things have not gotten significantly
better since then?
