North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN floods continueg

  • From: Avi Freedman
  • Date: Wed Sep 11 16:34:39 1996

I was talking about a different filter.

The one I listed was designed to prohibit someone at an exchange point
from using our network for transit.

I agree, you'd want to do what you describe to prevent IP spoofing.

Avi

> >>>>> "Avi" == Avi Freedman <[email protected]> writes:
> 
>     Avi> This is actually an incoming filter...
>     Avi> acc 102 permit ip any 198.138.103.0 0.0.0.255
> 
> Ummmm.... disclaimer, I'm not an expert on this, but according to my
> understanding of how Cisco access lists work, the incoming filter you
> showed actually does nothing at all.  The normal situation is that
> packets are coming in from random addresses, destined for your
> internal network.  There is nothing in this filter that prevents your
> own source addresses from being spoofed outside your border.
> 
> It seems to me that you want something more like this, which is what
> we have in place:
> 
> 	acc 102 deny ip 198.138.103.0 0.0.0.255 any
> 	...
> 	acc 102 permit any any
> 
> It seems to work for us.  Please let me know if I'm missing something here!
> 
> --
> Bruce Robertson, President/CEO
> Great Basin Internet Services, Inc.
> +1-702-348-7299  fax: +1-702-348-9412
> 

- - - - - - - - - - - - - - - - -