[e2e] DDoS attack vs. Spoofing of Source Address

[Fred Baker]

Your first point is valid, but yet we see spoofing in the network -  
less than a while back, but still a lot. Ingress Filtering has value  
in limiting spoofing, and while yes it helps the customers of other  
networks, it also helps the customers of my network, which I will  
argue is my incentive to deploy it. In limiting spoofing, I partially  
mitigate certain classes of attacks as close to their source as I can  
put it.

Note that managing ddos attacks is never a matter of applying one  
golden tool and suddenly they all go away; rather, we identify high  
percentage solutions to specific attacks ("gee, this ddos seems to be  
a whole lot of folks starting to download the home page and then  
going away; lets change the URL of the web page and reply to the  
download request with a simple response that redirects the requester  
to it. Maybe the bogons won't follow.") and apply them.

I don't see people focusing on spoofing per se. I do see them using  
anti-spoof measures as one of the armaments in their arsenal.

On Jan 19, 2006, at 1:55 PM, John Kristoff wrote:

> On Thu, Jan 19, 2006 at 12:23:27PM -0800, Joe Touch wrote:
>
>>> Many DoS agents have had the ability to randomly fake the source
>>> address and of course they commonly come up with a "bogon".
>>
>> Sure. That sounds more like a bug in their source address checking  
>> code,
>> IMO.
>
> If I was to think as an attacker, why would I spend my effort writing
> perfect spoofing code when it is clearly not necessary for my attacks
> to be effective.  Likewise, if I'm one trying to mitigate the attacks,
> why would I focus on trying to stop spoofing?
>
> John