North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Ping flooding (fwd)
At 10:43 PM 7/8/96 -0400, Todd Graham Lewis wrote: >If you have a very restrictive security policy, then you might want to >place a packet filter on all outgoing traffic. If your network is >10.1.1.64/26, then you might have the following two rules: > >action source destination >------ ------ ----------- > >allow 10.1.1.64/26 * >deny * * > >Of course, no one does this, because it is very time consuming for your >router to examine every packet in this way. This translates into more >marginal cost on your hardware for very little return. > >Say that person X, the person who owns the network from which these pings >are apparently originating, did have such a filter. What does this do? >It proves that the packets are not originating on his network. Does it >stop anyone else from forging these packets? No. Actually it doesn't prove that. The filter would /allow/ the pavckets to pass through the router since they were coming from one of his networks. If everyone else on the planet had such a rule it would prove that it /was/ coming from him. Justin Newton Internet Architect Erol's Internet Services - - - - - - - - - - - - - - - - -
|