New Denial of Service Attack on Panix

Anyway, filtering packets with SRC addresses known to generate
ICMP_UNREACH at the earliest possible stage might be a good idea.

Well, this is what we [collectively] have been talking about doing
as a 'best current practice' since the attacks became evident.

Also, see:


A New Internet-Draft is available from the on-line Internet-Drafts

       Title : Network Ingress Filtering
       Author(s) : P. Ferguson
       Filename : draft-ferguson-ingress-filtering-00.txt
       Pages : 6

Recent occurrences of various Denial of Service attacks which have employed
forged source addresses have proven to be a troublesome issue for Internet
Service Providers and the Internet community overall. This paper discusses
a simple, effective and straightforward method for using ingress traffic
filtering to deny attacks which use "invalid" source addresses; prefixes
which are not being legitimately advertized to the Internet via a
particular service provider gateway.


Once the document is revised to an acceptable [rough consensus] draft,
I'd like to see it become published as a BCP.

- paul