On 16 Feb 00, at 12:56, Bennett Todd boldly uttered: > Allowing forged source addrs in and out of your nets is bad hygiene. I agree in many ways, but there are *some* cases where it can be legit and useful: ie some kinds of network troubleshooting, or for that matter, testing for things like smurf vulnerability :-) > And if DDoS attacks couldn't used forged source addrs, they couldn't > use smurf to amplify their effects, and they couldn't be reused at > all; the moment a victim starts capturing packets, they'd have the > source addrs of all the machines in the attackers DDoS net --- and > building those nets remains the relatively hard prep work for > mounting one of these attacks. If we had universal ingress > filtering, the moment someone started launching one of these the > victim could start contacting the compromised sites, and if they > refused to address their problem they could request that the streams > by blocked by the compromised sites' providers. Seems to me that the packet-authentication aspect of IPv6 would go a long way toward making sure you can track the source of packets too. IPv6 would solve a variety of things, including to help track down spammers. I'm thinking maybe we should start pushing for faster adoption of it. I wonder how many organizations used the Y2K upgrade opportunity to install IPv6-compatible hardware on their networks.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:32 PDT