On Thu, 11 Jul 2002, Kurt Erik Lindqvist wrote:
If the ISP doesn't do ingress filtering from the direction of the customer, it will be done somewhere in the internet anyway. Is it not
^^^
_better_ for the customer to get the block immediately (e.g. in the case of misconfigured addresses), rather than have to wait for someone distant to do it. They won't be getting return packets _anyway_...
Oops, I made a drastic typo when editing the message. Cut off that 'not', so we agree.
Well, if all those packets get filtered somewhere else in the network, that part has surely never been in the path to the networks I worked for. We have always seen DoS attacks with forged source addresses.
We perform additional form of filtering at our border routers to upstreams and peerings (for ingress, check that our addresses are not listed; for egress, we drop packets with private and other martian addresses just to be sure). This does not, naturally help with identifying spoofed DoS attacks reliably. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords