dsl providers that will route /24

David Schwartz davids at webmaster.com
Fri Mar 30 11:05:39 UTC 2001



	I'm going to keep this really simple and go really slow so there's no
chance of a misunderstanding.

	You have a customer A. He has two customers, B and C. Your filter allows A,
B, and C's assigned addresses as source addressees on the link to/from
customer A.

	Your customer A, receives a packet from customer B with a source address
assigned to customer C. Your filter allows it even though it's spoofed. You
know why that is? Because your filter can't tell a spoofed packet from an
unspoofed packet.

	Customer B dials up to another ISP. He gets an IP address. He sends a
packet sourced with that IP address to your customer A who forwards it to
you. It's not spoofed, but your filter blocks it. Do you know why that is?
Because your filter can't tell a spoofed packet from an unspoofed packet.

	You may be entirely happy with your filter, and it may be doing exactly
what you want it to do. I won't dispute that. But the fact remains that your
filter cannot tell a spoofed packet from an unspoofed packet. And there's a
simple reason for this -- your filter can't tell where a packet actually
originated, and that's what you need to know to tell whether it's spoofed or
not.

	Do you understand my point yet? A filter cannot tell a spoofed packet from
an unspoofed packet. We've gone back and forth about four times and this
simple point still seems to elude you. I wish I liked to play the name
calling game as much as you do.

	DS

	PS: Am I the only one who was actually a little happy the day some big name
sites got hit with DDoS attacks thinking this would finally bring some
attention and real solutions to the problem of DoS attacks? Am I the only
one disappointed with the fact that things have not gotten significantly
better since then?





More information about the NANOG mailing list