Owen DeLong writes:
> I will also point out that many of the recent "smurf" attacks and
> similar problems people are having on the net would be gone if people
> would just carefully filter internal/external addresses on their
> border machines, that is, prevent packets claiming to be from "inside"
> networks from coming in from the "outside", and prevent packets
> claiming to be from "outside" networks from going out from the
> "inside". The latter will stop your network from *ever* being the
> source of a wide variety of packet forgery attacks, and is necessary
> to being a good network citizen. The former will stop your network
> from being the subject of a wide variety fo packet forgery attacks,
> and is necessary to make your customers even remotely safe on the net.
That's great if you're a downstream provider with no transit customers.
However, when you become a transit provider,
OF COURSE this is mainly a "leaf network" thing, not a thing for
Large providers serving "leaf networks" with well defined connection
points to them *can* do some filtering -- in particular, they can
refuse to pass packets to a network claiming to originate from within
it, and they can refuse to accept packets from a network claiming not
to come from within it. That is not, of course, the true transit
Extensive filtering *will* reduce the denial of service attacks of
this sort we are getting. They can never eliminate them, but they
*will* help. I cannot urge strongly enough that people start
implementing this sort of filtering as soon as possible.