Actually, spoofing is NOT easy to stop, and
adding filters to routers does nothing to stop
spoofed addresses that are within a given ISP's
address space.
Secondly, filters consume massive amounts of
router CPU time. To filter (egress and ingress)
for spoofed originations consumes so much of this
resource that it effectively halves the bandwidth
available from a given router. Since ISPs are
essentially in the business of re-selling
commodity bandwidth, this means that PARTIAL
protection from spoofed addresses would HALVE THE
BANDWIDTH OF THE ENTIRE INTERNET. This means that
the price of internet access is going to have to
double, ALL JUST SO THAT MICROSPLAT CAN ISSUE YET
ANOTHER CRAP OS WITHOUT ANY THOUGHT TO QUALITY OR
SECURITY ISSUES. What this means, dear reader, is
that you are about to be stuck with yet another
involuntary microsplat tax.
Thirdly, because of issue #2 above, there will
always be nodes that are not filtering simply
because they cannot afford to do so - they are
already running close to flat out in order to
make a buck, and filtering would impact their
duct-taped equipment and available bandwidth in a
way that they can't financially accept. Those
nodes will become zombie farms, and there will be
lots of them. Think Russia, China, Mexico and
Brazil.
Finally, the point of spoofing is to make packets
untraceable, thereby to avoid detection and
responsibility. Since an ISP cannot easily tell
if a given user is spoofing some other user
within the same address space, it is almost
impossible to track the actual source of an
attack. Once raw sockets are available to the
flood of script kiddie exploits of the XP boxes
that will soon flood the market, things will get
very, very bad.
The only thing that has prevented this from
happening in the past is the RELATIVE difficulty
in taking over raw sockets capable OS's. As soon
as the latest security-free hivesoft monopolyware
is disseminated to the winds, the sky will be the
limit - point and click spoofed DDOS attacks are
coming to your local corner of the network, Real
Soon Now.
Slashdot Mirror
Actually, spoofing is NOT easy to stop, and
adding filters to routers does nothing to stop
spoofed addresses that are within a given ISP's
address space.
Secondly, filters consume massive amounts of
router CPU time. To filter (egress and ingress)
for spoofed originations consumes so much of this
resource that it effectively halves the bandwidth
available from a given router. Since ISPs are
essentially in the business of re-selling
commodity bandwidth, this means that PARTIAL
protection from spoofed addresses would HALVE THE
BANDWIDTH OF THE ENTIRE INTERNET. This means that
the price of internet access is going to have to
double, ALL JUST SO THAT MICROSPLAT CAN ISSUE YET
ANOTHER CRAP OS WITHOUT ANY THOUGHT TO QUALITY OR
SECURITY ISSUES. What this means, dear reader, is
that you are about to be stuck with yet another
involuntary microsplat tax.
Thirdly, because of issue #2 above, there will
always be nodes that are not filtering simply
because they cannot afford to do so - they are
already running close to flat out in order to
make a buck, and filtering would impact their
duct-taped equipment and available bandwidth in a
way that they can't financially accept. Those
nodes will become zombie farms, and there will be
lots of them. Think Russia, China, Mexico and
Brazil.
Finally, the point of spoofing is to make packets
untraceable, thereby to avoid detection and
responsibility. Since an ISP cannot easily tell
if a given user is spoofing some other user
within the same address space, it is almost
impossible to track the actual source of an
attack. Once raw sockets are available to the
flood of script kiddie exploits of the XP boxes
that will soon flood the market, things will get
very, very bad.
The only thing that has prevented this from
happening in the past is the RELATIVE difficulty
in taking over raw sockets capable OS's. As soon
as the latest security-free hivesoft monopolyware
is disseminated to the winds, the sky will be the
limit - point and click spoofed DDOS attacks are
coming to your local corner of the network, Real
Soon Now.