Home page logo

nanog logo nanog mailing list archives

Re: Network Operators and smurf
From: "Jay R. Ashworth" <jra () scfn thpl lib fl us>
Date: Fri, 24 Apr 1998 18:55:53 -0400

On Fri, Apr 24, 1998 at 06:39:28PM -0400, Dean Anderson wrote:
Dean, but I'd be happy to be proven wrong.

There isn't a simple knob, but then it isn't simple to know what a forgery
is. You to have tell the router.  The router doesn't know what you and
other people "own", but you can tell it.  I'd say there isn't a way to make
a simple on/off knob for that, because there isn't any way to tell who you
will transit for and who you won't.

Or, another perhaps better way is to only accept packets from your customer
networks which are sourced from those networks.  Each customer interface
then has an inbound filter the blocks everything not sourced from your
customers network.

That was the idea.  I was, as noted, mostly talking about router
interfaces with only one network (block) behind it.  I gather a large
part of it comes from dialups, where the remote network is a /32.

in any event, I'm not sure I made the query explicit enough, from a
couple of replies I got: the knob I'm specifically interested in says
"don't forward packets with source addresses that can't be routed back
out this port".

-- jra
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "Two words: Darth Doogie."  -- Jason Colby,
Tampa Bay, Florida             on alt.fan.heinlein             +1 813 790 7592

Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]