On 3/23/06, <b class="gmail_sendername">Per Heldal</b> <<a href="mailto:heldal@eml.cc">heldal@eml.cc</a>> wrote:<br><div><span class="gmail_quote">[...]<br></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> And sure, spoofed traffic can be hard to detect, but this doesn't mean<br>> none of it can be detected. Specially when attacks last for hours/days.<br><br>This isn't about detecting random spoofed packets.</blockquote>
<div><br> Sure, but what about when spoofing is prevented from some subnets but not others, through incompetence or malice?<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> PS: And of course, in parallel, we could fix UDP so that packets sent in<br>> either direction have the same size. But that might take longer. ;-)<br><br>... besides being a joke, it also misses the fact that spoofing may be
<br>used just to hide the presence of bots with no amplification.</blockquote><div><br> The 2 problems of spoofing and amplification are orthogonal (they do make a nice combination). Both deserve to be fixed, IMHO. It's just a matter of (relatively) easy wins first.
<br><br>Pierre.<br></div><br></div>