dsl providers that will route /24
David Schwartz
davids at webmaster.com
Fri Mar 30 11:05:39 UTC 2001
I'm going to keep this really simple and go really slow so there's no
chance of a misunderstanding.
You have a customer A. He has two customers, B and C. Your filter allows A,
B, and C's assigned addresses as source addressees on the link to/from
customer A.
Your customer A, receives a packet from customer B with a source address
assigned to customer C. Your filter allows it even though it's spoofed. You
know why that is? Because your filter can't tell a spoofed packet from an
unspoofed packet.
Customer B dials up to another ISP. He gets an IP address. He sends a
packet sourced with that IP address to your customer A who forwards it to
you. It's not spoofed, but your filter blocks it. Do you know why that is?
Because your filter can't tell a spoofed packet from an unspoofed packet.
You may be entirely happy with your filter, and it may be doing exactly
what you want it to do. I won't dispute that. But the fact remains that your
filter cannot tell a spoofed packet from an unspoofed packet. And there's a
simple reason for this -- your filter can't tell where a packet actually
originated, and that's what you need to know to tell whether it's spoofed or
not.
Do you understand my point yet? A filter cannot tell a spoofed packet from
an unspoofed packet. We've gone back and forth about four times and this
simple point still seems to elude you. I wish I liked to play the name
calling game as much as you do.
DS
PS: Am I the only one who was actually a little happy the day some big name
sites got hit with DDoS attacks thinking this would finally bring some
attention and real solutions to the problem of DoS attacks? Am I the only
one disappointed with the fact that things have not gotten significantly
better since then?
More information about the NANOG
mailing list