And if everyone doesn't make any attacks we won't have any problems
either. To rephrase - relying on ingress filtering is putting your
security in someone other's hands, doing host-based stuff is protecting
yourself with your own hands. To rephrase once again - doing ingress
filtering is "being conservative with what you produce", being able to
cope with SYN floods on the host level is "being liberal on what you
accept." We need both, and overemphasising one side of the solution will
do a lot of harm.
Dima
Paul Ferguson writes: