Re: Internet SYN Flooding, spoofing attacks

[Paul Ferguson]

At 09:14 PM 02/11/2000 -0500, Vijay Gill wrote:

>This only works on single homed customers. Due to asymmetric routing, the
>customer can source _valid_ ip addresses from an ip source address that is
>not routed over that interface.  I too would prefer some sort of magic
>unicast RPF, but the best compromise is the built-in access filter.  The
>solution must be general enough to work for multihomed, defaulting out
>customers with blocks from n providers,

No, that is a common misconception, or rather, an overstatement of
a pretty easily described situation. It only breaks things in transit
situations, and only in transit situations where you might not have
the same forwarding path back to the source as you would via the same
interface a packet came in on.

This is a small percentage, I would thing, since the percentage of
ISP's offering transit pales in comparison to all other "access"
ISP's that do not. And in cases where ISP's _do_ offer transit, or
have transit agreements, will they really do this on their transit
interfaces? I think not.

- paul