I'm by no means an expert, and I'm not even sure I'd say I'm knowledgable
about this topic. But I'm spitting out my 2 cents worth anyway. :-)
> I'm afraid that I wasn't too clear on what my confusion is. I
>actually did understand why the filter wouldn't prevent SYN attacks. my
>confusion was the statement in the CERT of "With the current IP protocol
>technology, it is impossible to eliminate IP-spoofed packets.". Implying
>that you can't stop IP-spoofing totally.
Wouldn't having all routers filter out packets with a source ip outside the
routers net severly limit ip spoofing? Wouldn't this require using valid ip
addresses from within the routers *realm*. You could spoof an address but
it would have to be valid for the router to pass it on.
> I think what I am being told is that this packet filtering would
>prevent any packets spoofed to your own internal net address, but would not
>be able to prevent spoofs of someone else's address from coming in.
I think your correct here.
>I'm not
>sure what the implications of the other addresses being spoofed would be to
>my network security, unless I am allowing a trusted access of sorts.
> Maybe that's naive? Any other comments?
Well one implication is a SYN attack.
Sean
|
|
