syn attack and source routing

  i should have been more specific. i don't like the idea (at all) of
breaking traceroute -g either. i guess in a more general sense i
should ask "just how dangerous *is* having backbone-wide/internet-wide
loose source routing enabled?".

As Curtis explained, "not very".

Want to wait until SYN attacks are augmented with LSRR-enabled
traffic randomization to the point of making it nearly impossible
to trace?

People knew about SYN flooding for years. Nothing happened until
s*t hit the fan. I strongly suspect that LSRR is of the same

This is a very different case from that of SYN flooding, where the
victims are powerless to stop it.

Now, providers being unable to trace would be a nice addition.

Please don't take our LSRR away from us, it is very useful.

Per se, LSRR is not useful. traceroute -g is.

Why not to implement something saner like traceroute servers?

Or better yet, the ICMP TRACEROUTE message, which would go
hop by hop and on every hop generates a response message.
Augmented with PROXY TRACEROUTE which will cause the destination
box to send out the ICMP TRACEROUTE.

I can write RFC in my copious spare time if you think that this
makes more sense than the UDP kludge.

Campaigning to remove something just because you suspect it might be
bad is really not nice -- it will result in random clueless people
believeing you when perchance they should not :slight_smile:

Ah. I love the "the moozhik won't cross until thunder rolls" attitude.