SYN floods (was: does history repeat itself?)

I think you are talking about filtering inbound packets to your
router and restricting them to BGP announcements (I don't
think Avi was - see below). This would be done on the destination
address (checking it was within your announced route set) and
thus doesn't help protect against spoofed source addresses. I
*think* what Avi was talking about was filtering outbound packets
by source address and checking these are within announced routes.
This has additional problems to those listed below where, for
instance, there are deliberately asymmetrical announcements.

Here's some complications with both schemes. Suppose you
have an exhange point where providers peer, but A and B exchange
full routing for backup transit purposes (we do this with another
provider over LINX for example). The if A wants to filter (say)
inbound packets based on whether or not they are for networks
A announces, I have to find out who they are coming from as
A announces full routing to some people (B) and not normal
peers such as C. Incoming packets don't have the IP address
of the last hop router, though I suppose this could be obtained
through ARP, then matched against the IP addresses of BGP neighbours.
But suppose B is giving transit to some networks not within B's
normal announcement to D, without setting next-hop-self. Then
in a backup transit situation I will blackhole packets from D,
as I will be announcing the nets to B who will in turn announce
them to D, who's arp address I don't correlate to an IP address
of a BGP neighbour which I announce those routes to. Route
servers make the entire process even more complex as here you
are getting incoming packets from (or sending outgoing packets
to) IP addresses with whom you have no BGP session.

May be I'm missing something, but I think any non-trivial
transit arrangements make this difficult to say the least.

Alex Bligh
Xara Networks