Hacker News new | past | comments | ask | show | jobs | submit login

Because UDP is fire and forget, you don't have to be able to respond to packets you send; this is why you can't do the same with TCP packages.

To impose fixes upstream, you'd have to do DPI on all data; which is not allowed under some laws (i.e. net neutrality).




In this case, you don't have to care about UDP or TCP, only IP.

RFC2827, which should fix the problem where SSDP can be used for DDoS, was published in 2000: https://tools.ietf.org/html/rfc2827

Is ingress filtering on layer 3 considered DPI?


I am not this kind of network engineer, HOWEVER. Both IPv4 and IPv6 are versioned by the first 4 bits of the packet. Depending on that value the address size and location are fixed.

I would not consider the comparison of the source address of packets crossing an ingress link to be 'deep'. I consider that check to be very shallow. It needn't even be every packet from a set, merely picking a random (actually random) packet and testing for conformity is a good quality control measure that SHOULD be taken.

What would the comparison be against? Routers are supposed to know which links are on the other side of all down-stream connections so that they can effectively route.


Why would your ISP allow you to send packets with a source address it hasn't allocated to YOU? That kind of check/enforcement is pretty cheap and simple.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: