mailing list archives
Re: Tying a session to an IP address
From: exon <exon () home se>
Date: Mon, 10 May 2004 23:11:18 +0200
Toni Heinonen wrote:
You're assuming that routers care about a packets origin.
That's not a far-fetched assumption. Of course, your perimeter router (or perhaps
firewall) is supposed to filter all traffic clearly not from the internet (127/8,
224, APIA, RFC1918 and of course your own addresses)
But if you wouldn't want it a public service you might as well block
incoming traffic on the port anyways, so this doesn't apply.
and it isn't far-fetched to
think ISPs do filtering on their clients' outbound traffic. My ISP does this, I
can't spoof my address.
I still haven't found one that does. And the belligerent sort that
resort to spoofing often have access to a host or two on some
godforsaken remote location that not even virii care about and where
IP-tracking is a novelty.
Also, the ISP's routers at different connection points across the Internet can
do reverse filtering based on their routing information (if a packet says it's
coming from 193.65.76 and that network is by routing information only behind
another interface, it's discarded). I've heard of ISPs that do this too.
See statement above regarding perimeter-routers. As for the backbone
routers, this is simply ludicrous. There would be no end to the
computing power required to sift out traffic on a scale of 10Gbit/sec.
In Sweden, those routers run on a minimum of 60% bandwidth usage more or
less nonstop. That's 750000000 octets every second, in case you were
- Re: Tying a session to an IP address, (continued)