On Tue, 8 Oct 2002, Kelly J. Cooper wrote:
> Also, egress filtering is NOT easy, I don't care. And it doesn't have to be egress filtering as such, filtering packets you receive from your customers will work just as well. > Plus, lots of attacks these days are mixing spoofed and legit traffic, > or doing limited spoofing (i.e. picking random addresses on the LAN > where they originate to make it past filters). What's your point? That because someone can do bad thing #1 that can't be prevented, we should allow them to do bad thing #2 that can? If they use (semi-) legitmate addresses, at the very least I can track them and with some effort I can filter them. If they spoof then I can't do anything. This is not acceptable.
