SYN floods continue

Again, the rule is "dont accept packets from an interface if there's no
route for their source addresses pointing back to the same interface".
Note that that route does not have to be the best one -- just that the
router gets it from somewhere.

Without discussing it with the right folks here ahead of time, I suspect we
could do this at good speed in some, but not all routers, in our product
line. The solution I have in mind would not be suitable for some places in
the net. We'd put the extra checks in the slow path which Curtis hates so
much, and then use our 'flow-switching' cache, which is keyed by src/dest
adresses & ports. So packets which fail the source address scrutiny in the
slow path aren't put in the flow-switching cache. I can't recall if we
cache negatives there, but in any event apparently the attacks involve SYN
flows on the order of 100's of PPS, which might go through the slow path
OK. BTW, I believe the criterion Vadim suggest is similar to that used in
RPF Multicast flooding.

Now the big question: is this useful in routers carrying a default route?

  -- Jim