Fabian Wenk writes:
This Mail  arrived just over the Full-Disclosure
but should probably also be of interest to some people here.
Yes, at least it should remind our community that ingress filtering is
important. When I tried the "spoofer" test software from
, I was shocked to see that
I can spoof packets from my home broadband connection (and probably
the 299'999 other broadband customers of that Swiss ISP can do so as
well :-). Hopefully other Swiss ISPs do this better.
I hate to say something in defense of NATs, but at least the problem
is somewhat mitigated by the fact that many surfers (especially those
with broadband connections) use NATs. They make address spoofing from
compromised PCs ineffective.
As for enterprise connections, I'm not sure. I assume most small
enterprises use NATs as well. Large enterprises use firewalls, but if
something behind the firewall does get infected, I'm not sure those
firewalls would protect the outside world against spoofed packets (or
any other kind of junk) from those machines.
PS. SWITCH has ingress filters on all customer access interfaces, so
compromised systems inside universities cannot used spoofed source
addresses from outside the respective site's address space.