Home page logo

nanog logo nanog mailing list archives

Re: NSPs and filters
From: ice9 <ice9 () paranoia com>
Date: Sat, 12 Jul 1997 06:05:36 -0500 (CDT)

On Fri, 11 Jul 1997, Jon Lewis wrote:
Why is it that the NSPs I've encountered refuse to do any sort of sanity
filtering on their customer connections?  i.e. If UUNet knows that FDT has
only 205.229.48/20 and 208.215.0/20, why should they let me send traffic
through their network with random source addresses?

FDT has been the target of forged source address UDP attacks for the past
2 days.  It's all being stopped at our router that takes our UUNet T1, but
the extra T1 traffic is causing UUNet's usually unreliable network to be
even less reliable, and we've lost connectivity to UUNet several times
this evening.

Its not feasible to filter packets on customer gateway routers.  When you
impose a packet filter on a GW router customer interface, all packets  
destined to that customer have to be matched to an access-list and then
forwarded down the pipe or dropped.  This increases the load on the  
router CPU, because it is used to switching the packets.  Now you have to
analyze each packet which takes up CPU time.

This is not a nice thing to do to a router, especially while the router is
trying to keep up with 50 other customers...  And if more than 1 customer
wants this type of service, you start really feeling the load.

      ice9 () paranoia com      http://www.paranoia.com/~ice9
My opinion may not reflect that of any living person, but its the 
only one that counts!!
                      main() {for(;;fork());}

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]