Re: Internet SYN Flooding, spoofing attacks

Paul,

I object to the characterization of my comments as "propagating FUD." 
One might equally well suggest that 2267 constitutes a naive model of 
how to prevent IP spoofing, but I was polite enough not to say that 
:-).
From a security perspective, it is never desirable to rely on a 
mechanism that assumes that everyone else does "the right thing." 
When one suggests that a first tier ISP would not need to filter 
traffic from down stream providers, because IF they do the filtering, 
then the problem will not arise via those links, one is suggesting 
precisely this sort of model.
Edge filtering would often be helpful, but it is not a panacea, as 
pointed out by others in regard to the current set of attacks, nor is 
the performance impact trivial with most current routers. Because 
most routers are optimized for transit traffic forwarding, the 
ability to filter on the interface cards is limited, as I'm sure you 
know.  Also, several of the distributed DoS attacks we are seeing do 
not use fake source addresses from other sites, so simple filtering 
of the sort proposed in 2267 would not be effective in these cases.
Finally, I am aware of new routers for which this sort of filtering 
would be child's play, but they are not yet deployed.  One ought not 
suggest that edge filtering is not being applied simply because of 
laziness on the part of ISPs.
Steve