attack
Click on the red underlined text to get to the source
... 2827 [1], is designed to limit the impact of distributed
denial of service attacks, by denying traffic with spoofed addresses
...
... network. As a side effect of protecting the
Internet against such attacks, the network implementing the solution
also protects itself from this and other attacks ...
... attacks, the network implementing the solution
also protects itself from this and other attacks, such as spoofed
management access to networking equipment. There are cases when this
...
... The reasoning behind the ingress filtering procedure is that
Distributed Denial of Service Attacks frequently spoof other systems'
source addresses, placing a random number ...
... source addresses, placing a random number in the field. In some
attacks, this random number is deterministically within the target
...
... network, simultaneously attacking one or more machines and causing
those machines to attack others with ICMP messages or other traffic;
...
... source addresses in packets received from the Internet. In other
attacks, the source address is literally a random 32 bit number,
...
... source address is literally a random 32 bit number,
resulting in the source of the attack being difficult to trace. If
the traffic ...
... ISP can be
limited to traffic it is legitimately sending, attacks can be
somewhat mitigated: traffic with random or improper source addresses ...
... traffic with random or improper source addresses
can be suppressed before it does significant damage, and attacks can
be readily traced back to at least their source networks.
...
... routers and other ISP
infrastructure are vulnerable to several kinds of attacks. The
threat is typically mitigated by restricting who can access these
systems.
...
... and upstreams) -- blocking the use of your own addresses as source
addresses -- the attackers may be able to circumvent the protections
of the infrastructure gear.
...
... It bears to keep in mind that while one goal of ingress filtering is
to make attacks traceable, it is impossible to know whether the
particular attacker "somewhere in the Internet ...
... to make attacks traceable, it is impossible to know whether the
particular attacker "somewhere in the Internet" is being ingress
filtered or not. Therefore, one can only guess whether the source
addresses ...
... source
addresses have been spoofed or not: in any case, getting a possible
lead -- e.g., to contact a potential source to ask whether they're
observing an attack or not -- is still valuable, and more so when the
ingress filtering gets more and more widely deployed.
...
... upstream interfaces to reduce
the size of DoS attacks with unrouted source addresses. In the
downstream ...
... ingress filtering to prevent
spoofed addresses being used, both to curtail DoS attacks and to make
them more traceable, and to protect their own infrastructure. This
memo describes mechanisms that could be used to achieve that effect,
...
... Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP ...