New Denial of Service Attack on Panix

In the same document:

  4. Liabilities


     Also, while ingress filtering drastically reduces the
     success of source address spoofing, it does not preclude an
     attacker using a forged source address of another host
     within the permitted prefix filter range.

I.e. a single compromised host in the "permitted prefix filter range"
can cause as much trouble as the current attacks. Granted, it's a bit
easier to track down a host like this, but eliminating the majority of
compromisable hosts is even more difficult than global implementation of
the cited document. The bitter irony is that non-implementation of this
draft will most probably corelate with presence of compromisable hosts.

Thus host-(and firewall-)based solutions are at least as important as
the ingress filtering.

As of the evidence of these attacks - they were evident long before the
current talking.


Paul Ferguson writes: