Erik E. Fair (Time Keeper)
fair at clock.org
Thu Aug 21 20:18:34 UTC 1997
There is another mitigation: everyone here should commit to filtering
customer packets at the customer premesis router (or at the dial in for
PPP/SLIP) such that it is not possible for a customer to send a packet into
the network that has an IP source address on it that is not assigned to
that customer. That is, no more lying about source addresses.
Each of you should also consider (depending upon how your address
allocations go - this should be cheap for a single CIDR block) filtering
all packets coming at you from elsewhere that has source addresses in your
assigned address space. That is, no one should be able to send you packets
that you appear to have originated.
This is for the terminal networks, not the transit networks.
This is an old problem. It's another variant of the TCP SYN flood thing.
These filters also help with that problem too.
Erik Fair <fair at clock.org>
More information about the NANOG