just to add my $0.02. The best they could hope for would be disallowing your default gateway from connecting to your ssh server... whoop-de-doo.
On 9/23/05, Wolfgang S. Rupprecht < [EMAIL PROTECTED]> wrote: > > <[EMAIL PROTECTED]> writes: > > My only question is what if I traceroute to you, find out the IP number > of your upstream router? Then I make a bunch of connection attempts to your > IP but forge the packets to make them look like they came from your > upstream. Don't *you* end up blacklisting your default route and you become > 'so long suckah'd? > > This isn't a problem for 2 reasons. > > 1) The upstream router isn't likely to be the destination of any > packet in a consumer-isp situation. Only if you are running some > routing protocol that uses that upstream router as an endpoint > (eg. rip, ospf, etc) will a block against that router's IP matter > to you. > > I've heard of cases where folks intentionally add an IP-level block > against their ISP's whole infrastructure. (Some ISP's don't allow > any "servers". If they find an sshd hanging on port 22 are they > going to hassle you? Just block 'em.) > > 2) Forging the source IP in a TCP packet and succeeding in negotiating > the 3-way handshake isn't all that simple any more. I wouldn't > worry about it. If someone could forge that reliably, there is > much better game to go after (like breaking into machines that > still use IP addresses for authorization.) Someone spoofing an IP > so that you mistakenly block an innocent party is pretty much > wasting a good trick. > > -wolfgang
