Home page logo
/

nanog logo nanog mailing list archives

Re: NSPs and filters (fwd)
From: Jon Lewis <jlewis () inorganic5 fdt net>
Date: Sun, 13 Jul 1997 02:27:14 -0400 (EDT)

On Sun, 13 Jul 1997, Michael wrote:

Then couldn't the net also be a nicer place if the 'customer' filtered
their outbound packets? Of course this involves trusting the engineer's of
the downstream network to actually DO the filtering.

Obviously my previous posts were too simple and people didn't get the
message...some even flamed me.

In the cases where the customer runs the router at their site, this would
be a likely place for filters to be installed.  NSP's should require these
customers to either have such filters on their routers, or if appropriate,
on their customer's routers.  For really big ISP's, they should require
that their customers customers run with such filters, and so on. 

There should be clear rules and policies dealing with this...not just an
unwritten "you really shouldn't do that".  The thing that bugs me the most
about FDT's 72 hours of UDP attack is that it almost certainly came from
the admin of some well connected site or from a colo box somewhere. 
Unless I'm mistaken, forged UDP requires root access and (at the volume we
received) was likely from a host with T1 or better connection to the net. 
This site, or its NSP (if the NSP provides/maintains the customer router)
obviously runs no filters to prevent forged addresses from leaving their
network.

For example Sprint/Centel provides a T1 and Cisco 2501 in FDT's
Tallahassee office (this wasn't my idea).  This is a 2501 with an ethernet
connection, only one serial port in use, and nothing else.  It has the
ability to run with a filter like:

access-list 101 permit ip 199.44.96.0 0.0.7.255 0.0.0.0 255.255.255.255

without affecting performance in any measurable way, but Sprint/Centel
_refused_ to install even that basic a filter, claiming their policy is
"we don't filter".  With attitudes like that in NSP's, it's amazing FDT's
main office went about 2.5 years without a serious DoS IP attack.
 
------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
________Finger jlewis () inorganic5 fdt net for PGP public key_______



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]