SYN spoofing

batz batsy at
Wed Jul 28 20:38:26 UTC 1999

On Wed, 28 Jul 1999, Joe Shaw wrote:

:Any provider who allows the passing of address space that isn't his own
:(beyond whatever transit they may provide to their peers) is shameful.  
:How hard is it really to put a filter on your outbound links that says
:drop all ip traffic heading out these links that isn't from my IP space?
:It's just like martian filters for your inbound links, and we'd see a
:significant decrease in spoofing based attacks if it was more widely
:adopted.  Not to mention it'll keep peers from dumping traffic on you.

As far as I can tell, if the RST packets are hitting their firewall, 
it isn't just a case of filtering packets with a dst of an rfc1918

If someone is spoofing a scan from 10/8, and the responses are hitting
an interface on a firewall, that means that there is a route for 10/8
somewhere in that AS pointing to that firewall, which also means that 
someone is allowing their customers to leak that route to them. 

This is much worse problem than simply not filtering individual packets. 
I think that most of the net knows not to announce rfc1918 addrs via
bgp, it just seems that some providers are allowing these routes to 
pollute their IGP which, depending on the size of the AS, is just 
as bad. 

Chief Reverse Engineer 
Superficial Intelligence Research Division
Defective Technologies

More information about the NANOG mailing list