North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: ICMP Attacks???????
On Thu, Aug 21, 1997 at 03:26:50PM -0500, Jon Green wrote: > On Thu, 21 Aug 1997 13:18:34 -0700, [email protected] writes: > >There is another mitigation: everyone here should commit to filtering > >customer packets at the customer premesis router (or at the dial in for > >PPP/SLIP) such that it is not possible for a customer to send a packet into > >the network that has an IP source address on it that is not assigned to > >that customer. That is, no more lying about source addresses. > > Every time I show a customer of mine how to configure a router, I > try to educate them on this. We need some kind of massive marketing > effort to get this out to people though. People would do it, but nobody > knows about it. Ok, here's a question: A router knows the network number and mask of each network to which it has an interface. Does it not make sense that the default thing for that router to do would be to trash incoming packets which carry a source address not on the network associated with that interface. Certainly, you'd have to tell the router to accept all comers (except locallly addressed packets) on the WAN interface, but you need to tell it which interface is the default route _anyway_, so that's trivial. And for people with multiple, routed networks behind a router, well, they could probably be assumed to be bright enough to enable additional net/masks for a given interface _anyway_, so that's not really a problem either. Someone tell me, from either a technical or marketing standpoint, why this idea is infeasible, no? Cheers, -- jra -- Jay R. Ashworth [email protected] Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592