Re: SYN spoofing

[Dan Hollis <goemon () sasami anime net>]

On Wed, 28 Jul 1999, Jeremy Porter wrote:
> > You can at least conclusively show who is transporting the
> > invalid-source-address-packets to the endpoint. That is, conclusively show
> > that the next-to-last-hop isnt properly filtering.
> But that doesn't really do any good.  They have valid reasons for
> not running IP verify unicast reverse path on their backbone routers
> due to asymetric routing.

Note I wasnt talking about RPF I was talking about bogons. The last
few smurf attacks I saw, bogons were a large percentage of total smurf
volume.

> Maybe we should ask Cisco for a  "no ip bogons" command.

Would be nice especially if it defaulted to on (like current 'no
directed-broadcast').

> Yes it would be good to filter.  Maybe it should even be a BCP.
> Maybe the next router requirements should require routers to filter
> bogons at wire rate.

Well for terminal servers this should certainly be a reasonable
requirement. An option to disconnect any port which is found to be
sourcing invalid addresses would be excellent. It would certainly be a
deterrent to the script kiddies if they knew each time they fired up the
smurfer, that they automatically lose their connection.

> Interprovider cooperation to track and filter the packets is the correct
> solution, however difficult it might be.

And how many years have we been screaming about this with no progress.
There seems to be zero incentive for interprovider cooperation.
We need to give them incentive. But what?

-Dan