I want to make it crystal clear that source address filtering
does not fix the SYN flooding or other spoofed-source address
It only makes it easier to track down the perpetrator.
If the goal of an attacker is to damage the business for
one or two hours such an attack can be launched from a
throw-away staging point; after the hacker cleaned up
Tell VISA or any other serious commercial customer that their
operations can be stopped for an hour by any newbie who can
retype a page from 2600. I think you'll be laughed at.
Per-se reducing the number of clueless newbies trying to
play hakerz is good and worthwhile; and as such source
address filtering is a valuable tool and should be deployed
However, source address filtering is particularly hard to
implement for large ISPs (it'll require quite extensive
modifications to configurations). Having only 100 filter
lists per cisco box doesn't help too much, too (there are
boxes with more than 100 "logical" interfaces on MIP cards).
For a large ISP, implementing source filtering is going to
be a monumental task.
Given the "tragedy of commons" nature of the problem (you
work hard to implement filters, which do not benefit _you_)
i'm quite sceptical that it will get us anywhere. Note that
the significant progress in CIDR was achieved only after
years of screaming, threats and all-out hand twisting (can
you say Sean's filter?)
That's why i tried to communicate the idea of creating such
filters automagically, by using the reverse-route approach.
That would allow to make it the default behaviour, at least
for T-1s or less.
Again, source filtering is only a part of solution. It does
not eliminate the attack mechanism per se. That's why the
statistical traffic monitoring for the traffic patterns showing
on-going flooding attacks with consequent automatic shut-off
is a valuable deterrent. It reduces the attack detection and
prevention time to half-minute or less. For all practical
purposes that will make attaks like that rather harmless, and
will shift the burden of responsibility from targets of attacks
to those who unwittingly or (worse) knowingly provide assistance
to hackers by being lazy or simply clueless.
The goal is to have the network to be able to contain anti-social
behaviour on its own. The technology can do muhc better than an
army of cops, so a technological solution should be preferred to
any solution involving human (or, worse, lawyer) intervention.
The network is great as a right to speak tool. Now we should think
hard on how to support right to not listen. Deniability of
communicaton is not a new concept, after all.