On Fri, 11 Feb 2000 14:40:15 EST, Bernie Volz <volz(_at_)process(_dot_)com>
said:
Regarding the recent TCP SYN Flooding attacks, why aren't ALL ISPs
required to put filtering on their networks that PREVENTS packets with
invalid source addresses ever entering their infrastructure? If every
site connected to the Internet did this, spoofing would be much more
See RFC2267.
The problem is that the IETF doesn't have the legal authority to beat ISP's
into submission on this one. There's also the problem that many ISP's are
somewhat marginal in cluefulness, so things like RFC2267 tend to be of the
"preaching to the choir" variety.
Given that RFC2267 is over 2 years old now, what *do* you suggest the network
community at large do to motivate the sites that still haven't implemented it?
Would somebody be interested in running a BGP blackhole feed of prefixes
known not to be filtering, similar to the maps.vix.com feed for closing
off E-mail spam? Perhaps if that became prevalent, ISPs would cleanup their
act when their legitimate users couldn't get anyplace because their ISP
wasn't filtering.
<As he dons his asbestos underwear> ;)
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech