- Make ISPs implement ingress filtering to kill off spoofed source addresses. This is good against all DoS attacks, and I really don't understand why there's not more pressure to do so. Pressure == refusal to peer with ISPs without filtering.
This doesn't work except at the very edge of the network. And it creates problems with multi-homed networks where traffic could be going out one connection and back in another. It can't be used on the core of anyones network at all, which is where this type of attack would be most effective. NANOG has had extensive discussions on this subject in the last few months - see their mailing lists. NANOG has also been discussing this problem for the last few days.
Also, with the large number of Zombie systems out there, spoofing IP addresses is not needed for DDoS attacks.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds