Frank Stollar wrote:
Jeremy Brooking wrote:

Thing is its only a patch, the solution (as mentioned before) is a
simple matter of service providers correctly configuring their network
devices. Routers/switchs etc, should not forward packets for address
ranges they are not responsible for.

You are all right. I don't understand that so many ISP forward packet
out of their net, which has wrong source IP. Here in munich, the first
router would drop your paket if it has a sourceip which does not belong
to this subnet. I really ask me _why_ so many ISPs don't do that?!?

you asked .. heh

Fallover and ignorance .. those are your two reasons.   Some people /
networks like being able to have a cheap fallover..  What is that? ..
very weak multi-homeing.  The down side is that only what you _send_ can
go out the other pipe.  ie assume two different networks (isp's) and
we'll assume no routing control upstream either:

     [host]     - you connect initially with network "a"
    /     \	-  suddenly your 1a connection dies (attack)
  [a]     [b]   -  route 1a drops, 1b picks it up
1a\       /1b    -  Snag:  "Host", is connected to your 1a address.
   \[you] /		 even though you are _sending_ via 1b, it is
			sending to your 1a address.

This works fine for something like irc, news ticker .. etc. Because for
the most part, as long as you keep the connection alive, and the other
end is willing to keep a running queue (buffer) for you, the connection
is good for at least 10-15Min ..


Ignorance is a big one because most people, are in over their heads and
don't know / care.   The truth is we would still have a very bad smurf
problem if it weren't for public lists of open networks, floating around.

_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux

Reply via email to