SYN spoofing

Ron Buchalski rbuchals at
Tue Aug 3 15:33:59 UTC 1999

>From: Randy Bush <randy at>
>To: Joe Shaw <jshaw at>
>CC: John Fraizer <John.Fraizer at EnterZone.Net>,Dan Hollis 
><goemon at>, bandregg at,nanog at
>Subject: Re: SYN spoofing
>Date: Mon, 2 Aug 1999 17:09:55 +0200 (CEST)
> > How hard is it really to put a filter on your outbound links that says
> > drop all ip traffic heading out these links that isn't from my IP space?
>trivial.  only one gotcha.  if it is a backbone router, it will fall over
>dead.  beyond that, not a problem.
>backbone level traffic can not be packet filtered by current real routers.
>but we've had this discussion a few times already.

Which is why it's more scaleable to do packet filtering at the edge, and 
leave the core to do what it does best...switch packets.


Get Free Email and Do More On The Web. Visit

More information about the NANOG mailing list