There've been a number of very public and very damaging denial-of-service attacks recently, many of them using variations on a simple technique: forging the source address for IP data packets. The result is that the target server is fooled into doing things it shouldn't do, and in the end it winds up being knocked off the network. The first trick is to forge the source address of your target and send packets to other machines. They will send responses back to the forged address, and since there are more of them than there are of it the resulting traffic will inundate the target. The second trick is to forge an illegal or insane source address. Various broadcast addresses are common ones. When the target machine receives these packets, it will send out responses to the forged broadcast address. Every machine on the same network as the target will then respond to these broadcast packets, flooding the network with traffic as one initial packet triggers dozens or hundreds of responses.

What gripes me is that this shouldn't be possible. Packets shouldn't be originating from broadcast addresses. Packets originating on an ISP's network shouldn't be carrying addresses not assigned to the ISP or it's customers. Packets claiming to be from a network shouldn't be arriving from the outside world. Given this, it should be possible to filter such packets out of the networks, right? As I learned setting up a firewall, it can be done and done relatively easily. It takes only a few basic filtering rules:

• All packets leaving a network should have source addresses that are assigned to machines on the network. Anything else, like broadcast source addresses and off-network source addresses, should be dropped on the floor and not transmitted to the outside world.
• All packets arriving at the routers at the edge of a network from the outside world that claim to be from machines inside the network, or from broadcast addresses, are impossible and should be dropped on the floor and not passed into the network.
• A dial-up link should only carry traffic from the IP address assigned to the machine on the other end. Packets from any other address should be dropped and not passed into the ISP's network.
• Packets destined to broadcast addresses should probably not be passed out of an ISP's network. Most ISP users have no business doing broadcast to the world. The same applies to IANA-reserved private IP addresses.

It took me only a few lines in my firewall configuration to implement these rules in my own firewall. It's not that hard, and it would nearly completely shut down denial-of-service and other attacks that depend on IP address spoofing. So why in Hades are ISPs not making these rules a standard part of their routing policies? Whether it's incompetence, laziness or refusal to spend money on routers that can handle their traffic, ISPs who don't implement these rules are contributing to the damage to the network from DoS and other attacks. Perhaps it's time those of us who've been victims of attacks that could have been prevented by these rules start holding the ISPs involved responsible for their negligence right alongside the crackers and script-kiddies who perpetrated the attacks.