Home page logo
/

nanog logo nanog mailing list archives

Re: Things to do to make the network better
From: "Perry E. Metzger" <perry () piermont com>
Date: Mon, 05 Jan 1998 11:07:01 -0500


Owen DeLong writes:
I will also point out that many of the recent "smurf" attacks and
similar problems people are having on the net would be gone if people
would just carefully filter internal/external addresses on their
border machines, that is, prevent packets claiming to be from "inside"
networks from coming in from the "outside", and prevent packets
claiming to be from "outside" networks from going out from the
"inside". The latter will stop your network from *ever* being the
source of a wide variety of packet forgery attacks, and is necessary
to being a good network citizen. The former will stop your network
from being the subject of a wide variety fo packet forgery attacks,
and is necessary to make your customers even remotely safe on the net.

That's great if you're a downstream provider with no transit customers.
However, when you become a transit provider,

OF COURSE this is mainly a "leaf network" thing, not a thing for
transit networks.

Large providers serving "leaf networks" with well defined connection
points to them *can* do some filtering -- in particular, they can
refuse to pass packets to a network claiming to originate from within
it, and they can refuse to accept packets from a network claiming not
to come from within it. That is not, of course, the true transit
network case.

Extensive filtering *will* reduce the denial of service attacks of
this sort we are getting. They can never eliminate them, but they
*will* help. I cannot urge strongly enough that people start
implementing this sort of filtering as soon as possible.

Perry


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault