Re: Internet SYN Flooding, spoofing attacks
2000-02-14 17:10:02
tomorrow demands. And, agreed, bogus source IPs _does_ at present time
look like nothing but the devils work. But in, say, 10 years a new flashy
techology could be requiring that you have the ability to stamp packets with
other IPs than your own. Unfortunately, back in year 2000, somebody put in
There already are some perfectly legitimate reasons to send packets
with "alien" IP source addresses. Mobile IP is the best example, but
various virtual private networking schemes also do this. For example,
I have a VPN set up over my cable modem so I can have a block of
static IP addresses for my home network. I had to do some work to
evade the $#(_at_)!! source IP address ingress filtering in my cable
network. I do it by tunneling the upstream packets through a machine
at work.
Being forced to tunnel not only increases the size of each packet, but
also entails suboptimum routing and reliance on yet more network
elements. I use the new Linux policy routing mechanisms to tunnel
only those packets that have to be tunneled, which helps. But it would
sure be nice if I didn't have to tunnel my outbound packets at all.
Source address ingress filtering is one of those ideas that seems like
a good one when you first think about it, but it just doesn't pan out.
It interferes with some perfectly legitimate activities, it doesn't
really stop the bad guys, and it deflects attention away from the real
solutions.
In the case of MS-DOS (Multiple Source-Denial of Service) attacks like
the ones we saw last week, we need to deploy better inter-router
mechanisms to deal with congestion by moving the packet drop points as
far upstream as possible toward the senders. And if these mechanisms
can work for deliberate flooding attacks, they'll also deal with
non-deliberate congestion.
Phil
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
Re: Internet SYN Flooding, spoofing attacks, Michael H. Warfield
Re: Internet SYN Flooding, spoofing attacks, Steven M. Bellovin
Re: Internet SYN Flooding, spoofing attacks, Anders Feder
- Re: Internet SYN Flooding, spoofing attacks,
Phil Karn <=
- Re: Internet SYN Flooding, spoofing attacks, Daniel Senie
- Re: Internet SYN Flooding, spoofing attacks, John Hawkinson
- Re: Internet SYN Flooding, spoofing attacks, Phil Karn
- Re: Internet SYN Flooding, spoofing attacks, Robert Elz
- Re: Internet SYN Flooding, spoofing attacks, RJ Atkinson
Re: Internet SYN Flooding, spoofing attacks, Phil Karn
Re: Internet SYN Flooding, spoofing attacks, Dick St.Peters
Re: Internet SYN Flooding, spoofing attacks, Valdis . Kletnieks
Message not available
RE: Internet SYN Flooding, spoofing attacks, Eliot Lear
|
|
|