There's not much 2G infrastructure left in the US, and the carriers are migrating people off it as fast as they can, so they can recycle the spectrum for 4G, which is a lot more spectrum-efficient as well as offering higher speeds. Otherwise, I'd be really happy to get one of these to be the spare phone that sits in my wife's car for emergencies. (The battery life is a big part of the appeal here.)
QNX and RTLinux and such are great if you need sub-millisecond response for your home automation systems. You don't. If you do, you're doing it wrong.
If your Internet-O-Things devices have spinning motors driving sharp-edged blades, you should be using hardware or at most electrical methods to do automatic stopping. If your electrical things use high voltage that might be exposed to people, you should be using ground fault interrupters on them. If you've got voice-operated instructions, they may need to process sound quickly, but you should buffer it if there's anything really critical. If your vacuum-cleaner robot scares the cat, responding in 100ms should be good enough (it'll probably have more mechanical inertia than that.) If your hot tub thermostat is sampling temperatures every millisecond, it'll be ok if the controller misses a few seconds worth of samples, as long as you don't do something stupid like treat missed samples as "0".
So the neutrino (i.e. something other than vacuum) hit another particle (also something other than vacuum), which grabbed some nearby nothingness to create a third particle? Sorry, but to me, the first two parts of it mean you're not creating stuff out of vacuum.
English is at its core a Germanic language. The grammar's descended from German versions of Indo-European, not Romance or Celtic versions, and if you take the basic vocabulary it's Anglo-Saxon. (For instance, the 1000-2000-word Basic English subsets are almost all Germanic.) There's a lot of French layered on top of it, from the Norman conquest, but it's mostly vocabulary and fancier words, not the core language. (And technical jargon being derived from Latin and Greek doesn't count; that's an artifact of Latin being the lingua franca of educated people for centuries.)
It's not just that the French have an Academie that defines the language rules. It's also that the French Kings and later Parisian governments spent centuries imposing their language on the rest of France, banning the use of Provencal and Breton and Basque and all the other regional languages, whether Romance or Celtic or other.
Most of the US authors and artists I know who self-publish have recently been ranting about VAT MOSS compliance costs, and how it's basically too difficult and expensive to make it worth selling to Europeans since the new law kicked in, so their web sites now won't sell to you if you ask to ship to Europe.
The ones who aren't ranting about it either don't know about the issue, or are just planning to ignore the taxes.
I've never been nearsighted, but I've now needed reading glasses for a decade due to age. Some astigmatism, plus slightly different magnifications for one eye than the other. What works well for me is to have my optometrist prescribe one set of glasses for computer use (with the focus distance set for computer distance, which is longer than the book-reading distance that standard reading glasses focus on), and a combination of drugstore glasses and older computer glasses scattered around the house and car, and a couple of special pairs (like the reading-lens safety glasses and the extra-strength readers for close work.)
So there are computer glasses at home and work that (almost) never leave their desks, and general-purpose reading glasses elsewhere. Most of them come from Zenni Optical, who make decent glasses really cheap ($10-20 for boring frames, unless you need progressives.) The catch with them is that you do need to know the pupillary distance, which your optometrist won't always write down unless you specifically ask, and that measurement depends on the focus distance (so computer glasses will be different than book-reading glasses or distance glasses.)
I also have a few of those skinny drug-store glasses that come in tubes, so you can leave one in the laptop bag or jacket pocket and it won't get squashed. Not perfect, but good enough for short periods of reading, or for restaurant menus.
The point of Stingrays is that they're controlled by the cops, not the phone company, and they can hijack cellphones whenever an "authorized" user wants, without the inconvenience of actually having to present documentation to somebody at the phone company claiming to have a warrant or equivalently warrant-like document.
By contrast, the point of COWs is to be mobile so you can deploy large additional cell capacity at locations that don't normally need it, and the point of femtocells is to be able to get phone service where there's not enough signal and to provide data service to your phone using your own (free) internet connections instead of paying the phone company for expensive mobile data (though the latter application is largely handled by Wifi these days.)
What I'd really like for an application like this is something that can run on a $50 burner phone, most of which run Android 2.3 because they don't have the CPU horsepower for 4.x (or more realistically, something I can run on my old Android 2.1 phone:-) There are starting to be This is mainly because I'm not interested in rooting my main phone, but would like to try it anyway, but also, if I were doing the kinds of protests where cops are hauling around IMSI catchers to track people, I'd want to be using a burner phone.
(Yes, I realize that here in the San Francisco Bay Area, a "Burner Phone" can just as well mean a propane-powered phone with a steam whistle and an MDMA dispenser in the back that only runs on the Playa.)
No, the 4th Amendment bans "unreasonable" searches and seizures. The warrant kicks in when a court thinks a search or seizure *would* be reasonable, and has a lot of limitations like particularly describing what's being searched for, and the court's supposed to kick the prosecutors out if the search wouldn't be reasonable. (Yeah, right, don't hold your breath too long.)
Wiretapping a phone requires a warrant, and it's not clear whether broad general wiretaps like IMSI catchers violate the 4th Amendment even if they can get a court to rubber-stamp them. (It's clear to me that they're not, but I'm not in charge of policy, and with Roberts in charge of the Supreme Court, he's presumably just fine with them.)
There are two kinds of people who announce they can do something like that - the ones who don't have a clue how hard it is, and the ones who don't care because their objective is to scam investors. (Seasteading's a lot easier, but most of the proposals I've seen for that have been the scammer types.)
Yes, getting enough equipment up to the moon to build a moon base is something you can do if you've got enough cash. Doing it as a private industry (rather than a government doing it) means you also need a revenue model once you've built it, and if you've done due diligence you won't find much revenue up there, even if you manage to get rid of inconvenient UN treaties that ban owning the moon.
But building an ecosystem that can sustain your moon colony is really hard; we don't know how to keep small pilot projects like Biosphere II running for very long without cheating and restocking the atmosphere, or how to build dirt without a ready supply of nitrogen and phosphate to grow plants with. It's a lot easier to deal with that on a moon base than on Mars, because you can send an occasional care package, but it's not like the convenience of restocking the International Space Station (which doesn't recycle most of its resources either.)
I disagree with much of the discussion and analysis in the article - optimal number of players and game length depends a lot on the group your playing with. How many people are at the event, is it a gaming event or is it a party where there are also games, how much do the people want to talk about the game vs. non-game socializing while playing.
Back when my wife was playing games a couple of nights a week and I was occasionally joining, the right choices seemed to be games that could handle 3-5 players because that let you get a table of people together but was somewhat flexible since different people liked different games, and it was occasionally useful to have pickup games that could handle as many as 6-8. 2-player games were less social, so they were mainly useful as quick filler games if you had latecomers or the other games were full up, but longer 2-player games were more useful for playing at home. Consistent length was also valuable - everybody breaks up into groups to play a game, and when the first round of games ends, people can switch around easily if they all take about the same amount of time. I think the optimum tended to be 1.5-2 hours, but I don't remember as well. (Or you could play short games if they had enough depth to play two or three rounds in a row.)
Settlers and similar Eurogames filled that niche pretty well, or maybe they defined it. A different niche was the large Ameritrash war games where one game lasts 4-5 hours. I haven't played those (unless you count Risk, years ago), so I'm less sure how many players they want, but I think they're 4-6, rather than 2 or 3.
A decade or so ago I played a LOTR game that was semi-cooperative. (There are presumably other LOTR games around.) You're playing one of the fellowship of the ring characters, and you're competing against each other, but Sauron's also moving, and if he gets to the ring before you get it to the volcano in Mordor, you all lose.
It's a serious, interesting game, but you not only have to put a huge amount of work and study into it before you're any good, but also you need to have opponents around who are of a vaguely similar level. Yes, there's a handicap system, but playing a game with a 9-stone handicap is still mostly the smart guy teaching the newbie (and playing 13-stone is just silly.) And watching games between people who are far enough ahead of you doesn't teach you much.
I used to work in a building with about 4000 engineers and scientists, a fair number of them Chinese, and there was a lunchtime Go club with a few dozen players. Newbies are rated around 25 kyu, a couple of guys were in the 15-20 range, but most of the people were 9 kyu or better. When my officemate made sho-dan, he was nowhere near the best around; there were a couple of 3-4 dan players. So basically, if one of the not-so-hot players was around, I could play a game that wasn't ridiculously handicapped, but I really would have needed a year of serious self-study before I'd be able to have much fun playing a lunch time, and I had better things to do.
I played chess a lot growing up and with chess club in high school, and had reached the point that I understood the aesthetics of chess enough to know that it wasn't fun to watch me playing:-) I didn't totally suck at it, but it wasn't much of a social experience.
The issue here is outgoing packets, not incoming - you have two lines, one to ISP A and one to ISP B, and normally if you're sending a packet from your address a.a.a.a, you send it on Line A, ISP A sees it's from you, and forwards it on. But sometimes it makes sense to send that packet out on Line B, and if ISP B implements BCP38 anti-spoofing and you haven't made special arrangements with them, they'll drop it (because they'll assume that either you're doing something malicious, or that your configurations are broken, and either way dropping it is the right thing to do.) Happens right away, on their first router, no need to get to backbone.
Why would you want to do this? One classic example is load-balancing - you've got your web server set on your reliable-but-expensive ISP A connection, but you want to send most of the packets out your unreliable-but-cheap ISP B cable modem, or maybe both links are similar quality but link A happens to be carrying 3/4 of the traffic right now. Another is satellites for remote locations - you want to receive data on your fat high-latency satellite link, but it's only a one-way connection, so you're sending out queries and TCP ACKs on your skinny terrestrial link (e.g. modem), with a source address claiming to be your satellite link
That trick never works; basically nobody permits it.
There are legitimate reasons for you to have a source IP address that's different from your primary one, e.g. you have two internet connections and you're load-balancing across them, or you're a business with a small reliable connection and a big cheap cable modem, or you've got a satellite connection and a terrestrial one, etc. But usually if you're doing that, it's because you're a business, and you can either arrange with your ISP to permit it, or run BGP to announce the routes to your ISP so that the uRPF will accept them, or some other option which often costs money.
Yep. Default behaviour is to block that stuff, if your ISP is any good. Depending on how cheap the cheaper ISP was, you might or might not be able to get your connection set to allow it, and your costs might get a lot higher. (If BGP was an option, you could often just announce the routes; if it was a consumer cable modem, or probably even a business cable modem, you can't fix it, but you can still play load-balancing games with your DNS, or do redirects from your webserver so that http://www.example.com/stuff redirects to http://www-cablemodem.example...., etc.)
It's been a few product cycles since I've really known how Cisco routers implemented things, and the balance between what gets done with ASICs vs. CPU has been changing constantly as CPUs (and ASICs) get cheaper, but simple spoof-proofing doesn't burn significant resources, because it can piggyback off the mechanisms that get used for routing. Basically, you look up the source IP address in the routing table, and if it's there (loose case) and points to the source Ethernet port (strict case) you allow it, otherwise you drop it, then you look up the destination address, and if it's there, you send the packet to the destination port, otherwise you drop it (optionally with some ICMP rejection message.)
The harder part is for endpoints that have BGP connections; you have to decide what policies to use to filter the announcements from the endpoint. In some cases it's easy (they've only got a few IP address blocks, and you enter them into some provisioning database that configures your router to only allow those), but in some cases your customer's network is more complex, and requires an actual human to do the configuration, or your connection was with another ISP or a big corporate customer, in which case filtering's a lot more complex because you're doing traffic load-balancing as well as trying to allow anything non-stupid to happen automatically and blocking anything stupid, and if your router had green paint on it there was a hard limit on how many routes it could accept and how much CPU it could use thinking about them, while if it had blue paint the CPU wasn't usually the problem but other things were (especially if you and the people you were peering with had different-colored routers.)
Hey, there's Slashdotting. Not a deliberate DDOS, because all the requests are legitimate, but it feels a lot like it.
A long, long time ago, in an internet environment far, far away, the Artists Against 419 project (or maybe it was 419eater?) had a website that would keep reloading lots of images from websites used by scammers in Nigeria, to burn up the limited bandwidth they had. Most of them were fake websites for banks, or Nigerian Ministry of Stolen Funds and Corrupt Officials, etc., and were usually on satellite links with limited bandwidth quotas. A few hundred people running the aa419 website could knock one off the air for a month. Bad guys in the better-connected world could also use techniques like that, but websites here can handle a lot more bandwidth, buy it at cheap wholesale prices, and afford protection like detecting too many queries from a given site.
But attacks don't always look quite the same as real traffic. Another classic DDOS technique is to send lots of TCP connection requests and then abandon them, either leaving the connection half-open (prompting the development of SYN Cookies and similar defenses), or going a bit farther into the interaction, with enough bots sending connections to make it hard for the website to answer the similar requests from real users. Does your web server track how many connections per second it'll accept from each IP address? If not, you can get DDOS'd. But if you do, you can hit false positives if, for instance, $BIG_COMPANY's employees are all trying to look at a website that their Engineering VP said they should look at, and the queries all come from the same firewall.
Or less subtly, you can get pounded with gigabits of packets being sent to your IP address, and you have to work with your ISP to deal with the problem, because you've only got a 10 Mbps pipe so it doesn't matter how smart your firewall is. If your ISP is dumb, you'll lose a lot of real traffic; if they're smart, they're using really expensive equipment and will charge you lots of money. Have fun.
Hi, AC - You're talking about a different kind of IP spoofing. You're trying to make sure that website foo.com doesn't see that your traffic is always coming from IP address x.y.z.w (or at least x.y.z.*) and deciding to send a SWAT team to your house or tell you that there are lots of sexy women in [some town near you] who'd like to webcam with you. You get around that by going through proxy servers that send traffic to foo.com from their own IP addresses and relay the responses back to you.
This is about spoofing IP addresses of TCP or UDP packets so that the responses go back to the spoofed address instead of your internet connection, because you're doing DDOS or something else malicious.
For instance, you send a DNS query, source = $VICTIM's address, destination = $BIG_DNS_SERVER, query-type = SomethingBig, and the destination receives it, assumes it's from $VICTIM, and sends them a 600-byte response to your 64-byte query, and so they're getting hit with 10x as much traffic as you're actually able to send them (which is something you'd do if you're one of thousands of zombie bots in this DDOS attack.)
Or you're sending them a DNS response, claiming to be from Source 8.8.8.8, Destination $VICTIM, saying that YourBank.com is now located at 257.3.4.5 (which is really evil-site.ru), with the checksum forged cleverly (thanks, Dan Kaminsky!) so they'll think it was a response to a query they'd sent.
Yes, it has to be done at the source, but even then it's harder than it looks. If you've got a consumer IP connection, or a small business that's statically routed, you've assigned them an IP address or block of addresses, and you can filter strictly on that.
But consider a small-to-medium business that has two ISPs for reliability reasons. If you're Carrier A, it's perfectly legitimate for it to send out traffic with source address a.a.a.a or b.b.b.b, because maybe its connection to Carrier B is down or busy right now. Or if they're a medium-to-large business with their own routable IP address block, they might be sending you BGP announcements claiming to own address block c.c.c.c/x (which they do) or d.d.d.d/y (which they don't, so you'd better be filtering.)
And if your customer is an ISP themselves (or a hosting provider, or a cloud service provider, or some other complex thing), they might very well be sending you all kinds of traffic, and at best you're going to loose-RPF them and trust them to do the BCP38.
It certainly helps, and BTW you not only have to block spoofed-source packets with TCP SYN, but also UDP, and ICMP, and TCP RST, and a few others, but since you typically implement BCP38 by doing uRPF at the IP layer, all that happens together. And ISPs also have to be really careful with filtering BGP announcements they accept (which is harder than you'd think) so the uRPF works (because otherwise the Bad Guys can just announce that they really own IP block x.y.z.0/24 and spoof away, as long as they've hijacked some company's internet connection and not just a consumer who gets a single dynamic IP or a small static-routed block.)
Sure, it's a cool-looking street-legal airplane, but if you want to get it into the air, you still need to drive to a runway, unfold the wings, and barrel down the runway at high speeds to take off, and then you need another runway to land it on, at which point you can drive away. It would have been really useful for my commute from Silicon Valley to Pleasanton (using airports in Palo Alto and Livermore), except for the parts about needing a pilot's license and a big pile of spare cash. But it's not going to replace cars and streets.
Slashdot Mirror
There's not much 2G infrastructure left in the US, and the carriers are migrating people off it as fast as they can, so they can recycle the spectrum for 4G, which is a lot more spectrum-efficient as well as offering higher speeds. Otherwise, I'd be really happy to get one of these to be the spare phone that sits in my wife's car for emergencies. (The battery life is a big part of the appeal here.)
QNX and RTLinux and such are great if you need sub-millisecond response for your home automation systems. You don't. If you do, you're doing it wrong.
If your Internet-O-Things devices have spinning motors driving sharp-edged blades, you should be using hardware or at most electrical methods to do automatic stopping. If your electrical things use high voltage that might be exposed to people, you should be using ground fault interrupters on them. If you've got voice-operated instructions, they may need to process sound quickly, but you should buffer it if there's anything really critical. If your vacuum-cleaner robot scares the cat, responding in 100ms should be good enough (it'll probably have more mechanical inertia than that.) If your hot tub thermostat is sampling temperatures every millisecond, it'll be ok if the controller misses a few seconds worth of samples, as long as you don't do something stupid like treat missed samples as "0".
So the neutrino (i.e. something other than vacuum) hit another particle (also something other than vacuum), which grabbed some nearby nothingness to create a third particle? Sorry, but to me, the first two parts of it mean you're not creating stuff out of vacuum.
English is at its core a Germanic language. The grammar's descended from German versions of Indo-European, not Romance or Celtic versions, and if you take the basic vocabulary it's Anglo-Saxon. (For instance, the 1000-2000-word Basic English subsets are almost all Germanic.) There's a lot of French layered on top of it, from the Norman conquest, but it's mostly vocabulary and fancier words, not the core language. (And technical jargon being derived from Latin and Greek doesn't count; that's an artifact of Latin being the lingua franca of educated people for centuries.)
It's not just that the French have an Academie that defines the language rules. It's also that the French Kings and later Parisian governments spent centuries imposing their language on the rest of France, banning the use of Provencal and Breton and Basque and all the other regional languages, whether Romance or Celtic or other.
Most of the US authors and artists I know who self-publish have recently been ranting about VAT MOSS compliance costs, and how it's basically too difficult and expensive to make it worth selling to Europeans since the new law kicked in, so their web sites now won't sell to you if you ask to ship to Europe.
The ones who aren't ranting about it either don't know about the issue, or are just planning to ignore the taxes.
I've never been nearsighted, but I've now needed reading glasses for a decade due to age. Some astigmatism, plus slightly different magnifications for one eye than the other. What works well for me is to have my optometrist prescribe one set of glasses for computer use (with the focus distance set for computer distance, which is longer than the book-reading distance that standard reading glasses focus on), and a combination of drugstore glasses and older computer glasses scattered around the house and car, and a couple of special pairs (like the reading-lens safety glasses and the extra-strength readers for close work.)
So there are computer glasses at home and work that (almost) never leave their desks, and general-purpose reading glasses elsewhere. Most of them come from Zenni Optical, who make decent glasses really cheap ($10-20 for boring frames, unless you need progressives.) The catch with them is that you do need to know the pupillary distance, which your optometrist won't always write down unless you specifically ask, and that measurement depends on the focus distance (so computer glasses will be different than book-reading glasses or distance glasses.)
I also have a few of those skinny drug-store glasses that come in tubes, so you can leave one in the laptop bag or jacket pocket and it won't get squashed. Not perfect, but good enough for short periods of reading, or for restaurant menus.
The point of Stingrays is that they're controlled by the cops, not the phone company, and they can hijack cellphones whenever an "authorized" user wants, without the inconvenience of actually having to present documentation to somebody at the phone company claiming to have a warrant or equivalently warrant-like document.
By contrast, the point of COWs is to be mobile so you can deploy large additional cell capacity at locations that don't normally need it, and the point of femtocells is to be able to get phone service where there's not enough signal and to provide data service to your phone using your own (free) internet connections instead of paying the phone company for expensive mobile data (though the latter application is largely handled by Wifi these days.)
What I'd really like for an application like this is something that can run on a $50 burner phone, most of which run Android 2.3 because they don't have the CPU horsepower for 4.x (or more realistically, something I can run on my old Android 2.1 phone :-) There are starting to be
This is mainly because I'm not interested in rooting my main phone, but would like to try it anyway, but also, if I were doing the kinds of protests where cops are hauling around IMSI catchers to track people, I'd want to be using a burner phone.
(Yes, I realize that here in the San Francisco Bay Area, a "Burner Phone" can just as well mean a propane-powered phone with a steam whistle and an MDMA dispenser in the back that only runs on the Playa.)
No, the 4th Amendment bans "unreasonable" searches and seizures. The warrant kicks in when a court thinks a search or seizure *would* be reasonable, and has a lot of limitations like particularly describing what's being searched for, and the court's supposed to kick the prosecutors out if the search wouldn't be reasonable. (Yeah, right, don't hold your breath too long.)
Wiretapping a phone requires a warrant, and it's not clear whether broad general wiretaps like IMSI catchers violate the 4th Amendment even if they can get a court to rubber-stamp them. (It's clear to me that they're not, but I'm not in charge of policy, and with Roberts in charge of the Supreme Court, he's presumably just fine with them.)
There are two kinds of people who announce they can do something like that - the ones who don't have a clue how hard it is, and the ones who don't care because their objective is to scam investors. (Seasteading's a lot easier, but most of the proposals I've seen for that have been the scammer types.)
Yes, getting enough equipment up to the moon to build a moon base is something you can do if you've got enough cash. Doing it as a private industry (rather than a government doing it) means you also need a revenue model once you've built it, and if you've done due diligence you won't find much revenue up there, even if you manage to get rid of inconvenient UN treaties that ban owning the moon.
But building an ecosystem that can sustain your moon colony is really hard; we don't know how to keep small pilot projects like Biosphere II running for very long without cheating and restocking the atmosphere, or how to build dirt without a ready supply of nitrogen and phosphate to grow plants with. It's a lot easier to deal with that on a moon base than on Mars, because you can send an occasional care package, but it's not like the convenience of restocking the International Space Station (which doesn't recycle most of its resources either.)
I disagree with much of the discussion and analysis in the article - optimal number of players and game length depends a lot on the group your playing with. How many people are at the event, is it a gaming event or is it a party where there are also games, how much do the people want to talk about the game vs. non-game socializing while playing.
Back when my wife was playing games a couple of nights a week and I was occasionally joining, the right choices seemed to be games that could handle 3-5 players because that let you get a table of people together but was somewhat flexible since different people liked different games, and it was occasionally useful to have pickup games that could handle as many as 6-8. 2-player games were less social, so they were mainly useful as quick filler games if you had latecomers or the other games were full up, but longer 2-player games were more useful for playing at home. Consistent length was also valuable - everybody breaks up into groups to play a game, and when the first round of games ends, people can switch around easily if they all take about the same amount of time. I think the optimum tended to be 1.5-2 hours, but I don't remember as well. (Or you could play short games if they had enough depth to play two or three rounds in a row.)
Settlers and similar Eurogames filled that niche pretty well, or maybe they defined it. A different niche was the large Ameritrash war games where one game lasts 4-5 hours. I haven't played those (unless you count Risk, years ago), so I'm less sure how many players they want, but I think they're 4-6, rather than 2 or 3.
A decade or so ago I played a LOTR game that was semi-cooperative. (There are presumably other LOTR games around.) You're playing one of the fellowship of the ring characters, and you're competing against each other, but Sauron's also moving, and if he gets to the ring before you get it to the volcano in Mordor, you all lose.
It's a serious, interesting game, but you not only have to put a huge amount of work and study into it before you're any good, but also you need to have opponents around who are of a vaguely similar level. Yes, there's a handicap system, but playing a game with a 9-stone handicap is still mostly the smart guy teaching the newbie (and playing 13-stone is just silly.) And watching games between people who are far enough ahead of you doesn't teach you much.
I used to work in a building with about 4000 engineers and scientists, a fair number of them Chinese, and there was a lunchtime Go club with a few dozen players. Newbies are rated around 25 kyu, a couple of guys were in the 15-20 range, but most of the people were 9 kyu or better. When my officemate made sho-dan, he was nowhere near the best around; there were a couple of 3-4 dan players. So basically, if one of the not-so-hot players was around, I could play a game that wasn't ridiculously handicapped, but I really would have needed a year of serious self-study before I'd be able to have much fun playing a lunch time, and I had better things to do.
I played chess a lot growing up and with chess club in high school, and had reached the point that I understood the aesthetics of chess enough to know that it wasn't fun to watch me playing :-) I didn't totally suck at it, but it wasn't much of a social experience.
Everybody must get Stone.
Bridge has the "one player gets knocked out very early" aspect to it, but it's fine. Dummy's job is to go mix the next round of drinks for everybody.
The issue here is outgoing packets, not incoming - you have two lines, one to ISP A and one to ISP B, and normally if you're sending a packet from your address a.a.a.a, you send it on Line A, ISP A sees it's from you, and forwards it on. But sometimes it makes sense to send that packet out on Line B, and if ISP B implements BCP38 anti-spoofing and you haven't made special arrangements with them, they'll drop it (because they'll assume that either you're doing something malicious, or that your configurations are broken, and either way dropping it is the right thing to do.) Happens right away, on their first router, no need to get to backbone.
Why would you want to do this? One classic example is load-balancing - you've got your web server set on your reliable-but-expensive ISP A connection, but you want to send most of the packets out your unreliable-but-cheap ISP B cable modem, or maybe both links are similar quality but link A happens to be carrying 3/4 of the traffic right now. Another is satellites for remote locations - you want to receive data on your fat high-latency satellite link, but it's only a one-way connection, so you're sending out queries and TCP ACKs on your skinny terrestrial link (e.g. modem), with a source address claiming to be your satellite link
That trick never works; basically nobody permits it.
There are legitimate reasons for you to have a source IP address that's different from your primary one, e.g. you have two internet connections and you're load-balancing across them, or you're a business with a small reliable connection and a big cheap cable modem, or you've got a satellite connection and a terrestrial one, etc. But usually if you're doing that, it's because you're a business, and you can either arrange with your ISP to permit it, or run BGP to announce the routes to your ISP so that the uRPF will accept them, or some other option which often costs money.
Yep. Default behaviour is to block that stuff, if your ISP is any good. Depending on how cheap the cheaper ISP was, you might or might not be able to get your connection set to allow it, and your costs might get a lot higher. (If BGP was an option, you could often just announce the routes; if it was a consumer cable modem, or probably even a business cable modem, you can't fix it, but you can still play load-balancing games with your DNS, or do redirects from your webserver so that http://www.example.com/stuff redirects to http://www-cablemodem.example...., etc.)
It's been a few product cycles since I've really known how Cisco routers implemented things, and the balance between what gets done with ASICs vs. CPU has been changing constantly as CPUs (and ASICs) get cheaper, but simple spoof-proofing doesn't burn significant resources, because it can piggyback off the mechanisms that get used for routing. Basically, you look up the source IP address in the routing table, and if it's there (loose case) and points to the source Ethernet port (strict case) you allow it, otherwise you drop it, then you look up the destination address, and if it's there, you send the packet to the destination port, otherwise you drop it (optionally with some ICMP rejection message.)
The harder part is for endpoints that have BGP connections; you have to decide what policies to use to filter the announcements from the endpoint. In some cases it's easy (they've only got a few IP address blocks, and you enter them into some provisioning database that configures your router to only allow those), but in some cases your customer's network is more complex, and requires an actual human to do the configuration, or your connection was with another ISP or a big corporate customer, in which case filtering's a lot more complex because you're doing traffic load-balancing as well as trying to allow anything non-stupid to happen automatically and blocking anything stupid, and if your router had green paint on it there was a hard limit on how many routes it could accept and how much CPU it could use thinking about them, while if it had blue paint the CPU wasn't usually the problem but other things were (especially if you and the people you were peering with had different-colored routers.)
Hey, there's Slashdotting. Not a deliberate DDOS, because all the requests are legitimate, but it feels a lot like it.
A long, long time ago, in an internet environment far, far away, the Artists Against 419 project (or maybe it was 419eater?) had a website that would keep reloading lots of images from websites used by scammers in Nigeria, to burn up the limited bandwidth they had. Most of them were fake websites for banks, or Nigerian Ministry of Stolen Funds and Corrupt Officials, etc., and were usually on satellite links with limited bandwidth quotas. A few hundred people running the aa419 website could knock one off the air for a month. Bad guys in the better-connected world could also use techniques like that, but websites here can handle a lot more bandwidth, buy it at cheap wholesale prices, and afford protection like detecting too many queries from a given site.
But attacks don't always look quite the same as real traffic. Another classic DDOS technique is to send lots of TCP connection requests and then abandon them, either leaving the connection half-open (prompting the development of SYN Cookies and similar defenses), or going a bit farther into the interaction, with enough bots sending connections to make it hard for the website to answer the similar requests from real users. Does your web server track how many connections per second it'll accept from each IP address? If not, you can get DDOS'd. But if you do, you can hit false positives if, for instance, $BIG_COMPANY's employees are all trying to look at a website that their Engineering VP said they should look at, and the queries all come from the same firewall.
Or less subtly, you can get pounded with gigabits of packets being sent to your IP address, and you have to work with your ISP to deal with the problem, because you've only got a 10 Mbps pipe so it doesn't matter how smart your firewall is. If your ISP is dumb, you'll lose a lot of real traffic; if they're smart, they're using really expensive equipment and will charge you lots of money. Have fun.
Hi, AC - You're talking about a different kind of IP spoofing. You're trying to make sure that website foo.com doesn't see that your traffic is always coming from IP address x.y.z.w (or at least x.y.z.*) and deciding to send a SWAT team to your house or tell you that there are lots of sexy women in [some town near you] who'd like to webcam with you. You get around that by going through proxy servers that send traffic to foo.com from their own IP addresses and relay the responses back to you.
This is about spoofing IP addresses of TCP or UDP packets so that the responses go back to the spoofed address instead of your internet connection, because you're doing DDOS or something else malicious.
For instance, you send a DNS query, source = $VICTIM's address, destination = $BIG_DNS_SERVER, query-type = SomethingBig, and the destination receives it, assumes it's from $VICTIM, and sends them a 600-byte response to your 64-byte query, and so they're getting hit with 10x as much traffic as you're actually able to send them (which is something you'd do if you're one of thousands of zombie bots in this DDOS attack.)
Or you're sending them a DNS response, claiming to be from Source 8.8.8.8, Destination $VICTIM, saying that YourBank.com is now located at 257.3.4.5 (which is really evil-site.ru), with the checksum forged cleverly (thanks, Dan Kaminsky!) so they'll think it was a response to a query they'd sent.
Or stuff like that.
Yes, it has to be done at the source, but even then it's harder than it looks. If you've got a consumer IP connection, or a small business that's statically routed, you've assigned them an IP address or block of addresses, and you can filter strictly on that.
But consider a small-to-medium business that has two ISPs for reliability reasons. If you're Carrier A, it's perfectly legitimate for it to send out traffic with source address a.a.a.a or b.b.b.b, because maybe its connection to Carrier B is down or busy right now. Or if they're a medium-to-large business with their own routable IP address block, they might be sending you BGP announcements claiming to own address block c.c.c.c/x (which they do) or d.d.d.d/y (which they don't, so you'd better be filtering.)
And if your customer is an ISP themselves (or a hosting provider, or a cloud service provider, or some other complex thing), they might very well be sending you all kinds of traffic, and at best you're going to loose-RPF them and trust them to do the BCP38.
It certainly helps, and BTW you not only have to block spoofed-source packets with TCP SYN, but also UDP, and ICMP, and TCP RST, and a few others, but since you typically implement BCP38 by doing uRPF at the IP layer, all that happens together. And ISPs also have to be really careful with filtering BGP announcements they accept (which is harder than you'd think) so the uRPF works (because otherwise the Bad Guys can just announce that they really own IP block x.y.z.0/24 and spoof away, as long as they've hijacked some company's internet connection and not just a consumer who gets a single dynamic IP or a small static-routed block.)
Sure, it's a cool-looking street-legal airplane, but if you want to get it into the air, you still need to drive to a runway, unfold the wings, and barrel down the runway at high speeds to take off, and then you need another runway to land it on, at which point you can drive away. It would have been really useful for my commute from Silicon Valley to Pleasanton (using airports in Palo Alto and Livermore), except for the parts about needing a pilot's license and a big pile of spare cash. But it's not going to replace cars and streets.