The same could be said of IP. If you forge packets and ICMP or UDP attack
MAE's) you can do it with impunity and effectively knock entire ISP's off
the internet.
I'm unaware of any attacks occurring now that do not leverage superior
bandwidth (ie, ping flooding from a DS3 a DS1 circuit) that are not
addressed in some manner at an operating system or user level.
"And how do I configure my router for that?" Use access-lists to prevent
your networks from accepting spoofed packets from your customers, or
insist that they use such filters on their routers.
This is not a valid answer. People who think that the entire Internet can
be globally configured to prevent packet forgery from occurring in the
first place are deluding themselves, and I think we, as Internet
professionals with an understanding of how these protocols work,
understand that.
Unfortunately, a bizarre faction of people have decided that the best way
to address problems that are made difficult to repair by the design of
legacy software is to deny that they A.) exist or B.) are fixeable.
"Wait for IPsec" and "Wait for DNSsec" are, in my opinion, inadequate
answers. "Prevent packet forgery from happening" seems ludicrous.
Apologies for the quantity of opinion here. Thanks for writing.
> MAE's) you can do it with impunity and effectively knock entire ISP's off
> the internet.
I'm unaware of any attacks occurring now that do not leverage superior
bandwidth (ie, ping flooding from a DS3 a DS1 circuit) that are not
addressed in some manner at an operating system or user level.
Many educational institutions have greater than T1 bandwidth to the net,
and these seem to be the easiest places for anyone to just walk in and get
ethernet access (with no authentication) to a T1 or better, and proceed to
wreak havoc on the net.
I'd wager I could walk into a computer lab at the local university, and
using either windows tools or linux on a floppy, do incredibly destructive
things without being caught...probably without being noticed...assuming
they do no filtering of traffic (based on source address) leaving their
network, and assuming I don't sit there indefinitely.
This is not a valid answer. People who think that the entire Internet can
be globally configured to prevent packet forgery from occurring in the
first place are deluding themselves, and I think we, as Internet
Can or will? If there are reasons the entire net cannot be made IP source
address forgery safe, enlighten me. I don't disagree that the likelyhood
of this actually happening are right up there with me being declared
Emperor of the US next week, but just because total success is highly
improbable doesn't mean resistance is futile.