Regarding the recent TCP SYN Flooding attacks, why aren't ALL ISPs
required to put filtering on their networks that PREVENTS packets with
invalid source addresses ever entering their infrastructure? If every
site connected to the Internet did this, spoofing would be much more
difficult because you couldn't do it. Sure, you could spoof an address
from YOUR network, but that's all. And guess what, it would be much
easier to track and thus to shut down the intrusions should they occur.
Thus ever edge router should have filter lists that prevent it
forwarding traffic out to the Internet (ISPs network) any packet that
does not have a source address that is valid from that site.
I would hope that lots of ISPs already do this. But, perhaps not.
- Bernie Volz