11 Jul
2002
11 Jul
'02
3:23 p.m.
If the ISP doesn't do ingress filtering from the direction of the customer, it will be done somewhere in the internet anyway. Is it not _better_ for the customer to get the block immediately (e.g. in the case of misconfigured addresses), rather than have to wait for someone distant to do it. They won't be getting return packets _anyway_...
Well, if all those packets get filtered somewhere else in the network, that part has surely never been in the path to the networks I worked for. We have always seen DoS attacks with forged source addresses. ...and I think that having the customer wait is better than have a few networks cripple under load. - kurtis -