[e2e] DDoS attack vs. Spoofing of Source Address

Joe Touch touch at ISI.EDU
Fri Jan 20 08:49:56 PST 2006



John Kristoff wrote:
> On Thu, 19 Jan 2006 16:43:23 -0800
> Fred Baker <fred at cisco.com> wrote:
> 
>> Your first point is valid, but yet we see spoofing in the network -  
>> less than a while back, but still a lot. Ingress Filtering has value  
>> in limiting spoofing, and while yes it helps the customers of other  
>> networks, it also helps the customers of my network, which I will  
>> argue is my incentive to deploy it. In limiting spoofing, I partially 
>> mitigate certain classes of attacks as close to their source as I can 
>> put it.
> 
> Darn it, I knew someone was going to say something like that as if
> I think limiting spoofing in general is a waste of time.  That is
> not the message I intended to convey.  Limiting is good and it does
> help.  I'm a supporter of it and I do it rigorously in networks I
> help run (and let me tell you how much of a pain it is to manage for
> multicast service some time).  However, it is not going to make most
> of the DoS attacks seen today go away one bit.
> 
> John

I tend to agree - the issue with ingress filtering is that:

	for stubs: it helps ensure that hosts on your stub are
	playing nice and not spoofing addresses outside your stub

	for intechanges: it helps ensure that your interchange
	doesn't propagate traffic spoofed from elsewhere

I.e., it basically makes sure YOU follow the rules; it says nothing
about what others do. While it's certainly appropriate to install such
filters, trusting them is not an option, since the filters you would
really need to trust aren't under your control.

Joe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060120/ce19a01b/signature.bin


More information about the end2end-interest mailing list