RE: Internet SYN Flooding, spoofing attacks

Eliot,

Some of the DoS attacks we saw last week were good, old-fashioned SYN 
floods.  Hosts do have a responsibility here, more than ISPs, since 
it is quite feasible to tie up a host's pool of TCBs with a small 
number of packets, even if the attack tool does not use spoofed 
sourced addresses (or if the spoofed addresses are from a legitimate 
pool allocated to a subscriber site).
The point I have tried to make, unsuccessfully, is not that 
performing ingress filtering is bad, and thus should not be 
performed.  Rather, I am pointing out that it is a bad idea to rely 
on such filtering as a primary means of defense. There are several 
reasons for saying this:
        - not all ISPs will find it feasible to provide such filtering
        - not all ISPs are trusted to do the filtering (in the global Internet)
	- a number of DDoS attacks can be launched without using 
spoofed addresses outside of those "appropriate" to the subscriber 
site
	- some applications may legitimately make use of non-local 
addresses, as others have suggested
I have seen a long history of suggested solutions to security 
problems which are only partially effective against current forms of 
attacks, vs. providing protection against a larger class of attacks. 
I'm trying to suggest that we not follow this pattern.
Finally, there is a diminishing difference between what a script 
kiddie can do, vs. a clever attacker, because the clever attackers 
are freely distributing higher quality attack tools.  "Empowerment" 
is a hallmark of modern Internet attacks :-).
Steve