Home page logo
/

nanog logo nanog mailing list archives

Things to do to make the network better
From: "Perry E. Metzger" <perry () piermont com>
Date: Wed, 31 Dec 1997 11:14:37 -0500


John R. Levine writes:
And since we're on this topic, at NANOG in Scottsdale we suggested
that ISPs firewall in their users so the only port 25 connections they
can make are to the ISP's own SMTP server, so the ISP can stamp
outgoing mail with the actual sender ID and possibly do volume
monitoring and choking.  (You could either block connections or other
systems, or warp them to your own servers, and you'd need provision
for exceptions for people who send in a signed AUP, etc.)  How far is
that from being feasible for POP farm customers?

It is pretty easy to filter port 25 connections from the ranges in
question.

I will also point out that many of the recent "smurf" attacks and
similar problems people are having on the net would be gone if people
would just carefully filter internal/external addresses on their
border machines, that is, prevent packets claiming to be from "inside"
networks from coming in from the "outside", and prevent packets
claiming to be from "outside" networks from going out from the
"inside". The latter will stop your network from *ever* being the
source of a wide variety of packet forgery attacks, and is necessary
to being a good network citizen. The former will stop your network
from being the subject of a wide variety fo packet forgery attacks,
and is necessary to make your customers even remotely safe on the net.

I've been thinking of surveying randomly selected networks to see how
many people are actually taking these (critical and necessary) steps.

Perry


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault