Home page logo
/

nanog logo nanog mailing list archives

Re: Things to do to make the network better
From: Tom Killalea <tomk () nwnet net>
Date: Mon, 05 Jan 1998 09:56:43 -0800

I will also point out that many of the recent "smurf" attacks and
similar problems people are having on the net would be gone if people
would just carefully filter internal/external addresses on their
border machines, that is, prevent packets claiming to be from "inside"
networks from coming in from the "outside", and prevent packets
claiming to be from "outside" networks from going out from the
"inside". The latter will stop your network from *ever* being the
source of a wide variety of packet forgery attacks, and is necessary
to being a good network citizen. The former will stop your network
from being the subject of a wide variety fo packet forgery attacks,
and is necessary to make your customers even remotely safe on the net.

I strongly recommend such filtering in sections 5.7 and 5.8 of my 
"Security Expectations for Internet Service Providers" draft
  ftp://ds.internic.net/internet-drafts/draft-ietf-grip-isp-02.txt
and we've heard Paul plug 
  ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt
here many times.

To answer Owen comments regarding the difficulty of filtering for
transit providers, I argue that filtering should happen as close to the
actual hosts as possible.

Tom.
--
Tom Killalea   (425) 649-7417    NorthWestNet
               tomk () nwnet net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]