Is there a line of defense against Distributed Reflective attacks?

• Previous message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 17 Jan 2003, hc wrote:

> >
> >
> >>
> >
> > Good point.
> >
> > I suppose another basic but effective method of prevention would be
> > egress filtering. An increasing minority of network providers are
> > instituting it, but it doesn't seem like it will be a widespread thing
> > in the near-term.
> >
>
> Yes, but egress filtering is only effective by far. Anyone can forge the
> source to an IP address that belongs to one of the /16's a provider
> advertises.

filter close to the end host, this limits (mostly) to the local /24 or /25
or /2(>5)...

>
> It will help of course, but really not The solution... Or is there one?
>

haha, there isn't one :( since even with no spoofing you can muster an
army of 100,000 IIS servers still scanning for nimda :(

• Previous message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]