SYN flood messages flooding my mailbox

>2. Filter based on source address on inbound packets from singly
>homed sites.

>A singly homed site cannot have assymetric routing since there is no
>ohter path.

The site does not have to be single-homed for filtering to be applicable.

If you relax criteria for reverse-route filtering to "known route" instead
of "best route" then any customer (non-transit) AS can be filtered safely
at border routers.

And if the "known route" is know by another router but suppressed from
IBGP advertisement because there is a better route ..

Or if the "known route" goes through an AS that uses YOU as their best
route but the reverse traffic goes a different way..

Both of these cases and other cause a blackhole.

Of course, if by "known route" you mean known because it is in the
IRR, and the IRR is known to be reliable, then I accept your argument
but caution that the IRR is not always reliable, but this is yet
another reason to make it more reliable.

As for traceability -- fat load of good it does to you if you discover
that the hacker was smart enough to use an unprotected box somewhere in
Taiwan or Brazil as a staging poing for attack. I've had situations when
i traced attacks to places like that and was anything but unable to
explain local sysadmins what i wanted from them. Simply because they don't
speak English at all. There are places where they simply don't have
any laws in regard to computer crime, and no Interpol offices. Any
really malicious attacker with more than two neurons would be out of
your reach, and unhindered.

We've had providers shut down sites because they were slow to address
hacking launched from their site. In one case an NSFNET regional shut
down a large university because their CS department just said
"security is a hard problem" and refused to do anything. After 4 days
of no Internet access they had things quite thoroughly cleaned up.
The hacker in this case may very well have been Mitnick because it
similar attacks were seen from Netcom and were those that hit SDSC and
both the Netcom and university attacks occurred about a month prior to
Mitnick getting caught.

BTW, the enforcement of source address authenticity allows for automated
SYN flooding attack defenses -- if your host sees a stream of SYNs at a
rate more than X pps it simply starts to ignore the SYNs from
that particular source! (A simple algorithm would take care of roaming
sources within some network -- you just sort SYNs by buckets of different
sizes and shut down those which have SYN rate counts higher than
some threshold).

Shutting down the source is a lot easier if you know the source.