A protocol change seems overkill for a problem that should be rather simple to fix. Any of these would do:
- Make ISPs implement ingress filtering to kill off spoofed source addresses. This is good against all DoS attacks, and I really don't understand why there's not more pressure to do so. Pressure == refusal to peer with ISPs without filtering.
- More randomness in transient port selection. Would make this kind of guessing a few orders of magnitude harder, ie. not practical. I mean, this is hardly a new attack it just haven't been considered practical before.
- Specifically protecting BGP or other vulnerable protocols by either (1) ingress source filtering, (2) ingress TTL filtering (3) md5 signing of packets
Finally, to quote (from memory) davem: Anyone who suggests replying to an RST doesn't understand tcp.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds