Anyway, filtering packets with SRC addresses known to generate
ICMP_UNREACH at the earliest possible stage might be a good idea.
Well, this is what we [collectively] have been talking about doing
as a 'best current practice' since the attacks became evident.
Also, see:
[snip]
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
Title : Network Ingress Filtering
Author(s) : P. Ferguson
Filename : draft-ferguson-ingress-filtering-00.txt
Pages : 6
Recent occurrences of various Denial of Service attacks which have employed
forged source addresses have proven to be a troublesome issue for Internet
Service Providers and the Internet community overall. This paper discusses
a simple, effective and straightforward method for using ingress traffic
filtering to deny attacks which use "invalid" source addresses; prefixes
which are not being legitimately advertized to the Internet via a
particular service provider gateway.
[snip]
Once the document is revised to an acceptable [rough consensus] draft,
I'd like to see it become published as a BCP.
- paul