North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Implementing anti-abuse techniques on ISP networks....
On Thu, Aug 07, 1997 at 09:42:35AM -0700, Michael Dillon wrote: > > >Operational question: will a Livingston Portmaster allow source IP > >spoofing? > > I presume that's the reason why people posted the Livingston filter rules > at http://www.mtiweb.com/isp/livfilter.html > > There are other links regarding this topic in the "Security" section at > http://www.mtiweb.com/isp > > Encourage your customers to implement these filters and encourage your ISP > customers to get their customers to implement these filters... I guess people don't read these threads very carefully. Initally, someone said that ISPs should prevent their dial-up customers from getting to port 25 on any machine other than the ISP's mail server. I said that, _aside from filtering spoofed IPs_ we don't do any blocking, and I don't think we should. Someone then gave the example of spoofing another IP on the ISP's network. This is not blocked by standard anti-spoofing rules, since the fake source IP is inside the network it's coming from. I clarified that this doesn't have anything to do with the port 25 question, and wondered whether a PortMaster does or can be made to do the more complicated filtering neccesary to prevent it. For those scoring along at home, it's not easily possible with the RADIUS-based method I suggested, as the RADIUS server doesn't know the dynamic IP that will be assigned until it has already accepted the login. Oh well. -- = Christopher Masto = [email protected] = http://www.netmonger.net/ = = NetMonger Communications = finger for PGP key = $19.95/mo unlimited access = = Director of Operations = (516) 221-6664 = mailto:[email protected] = v---(cut here)---v -- [email protected] "Keep in mind that anything Kibo says makes a great sig." -- Kibo ^---(cut here)---^