North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Things to do to make the network better
Owen DeLong said once upon a time: >> I will also point out that many of the recent "smurf" attacks and >> similar problems people are having on the net would be gone if people >> would just carefully filter internal/external addresses on their >> border machines, that is, prevent packets claiming to be from "inside" >> networks from coming in from the "outside", and prevent packets >> claiming to be from "outside" networks from going out from the >> "inside". The latter will stop your network from *ever* being the >> source of a wide variety of packet forgery attacks, and is necessary >> to being a good network citizen. The former will stop your network >> from being the subject of a wide variety fo packet forgery attacks, >> and is necessary to make your customers even remotely safe on the net. Expecting everyone else to do the right thing is the wrong way to solve the problem. 99% of everyone else will always do the easiest thing, which is nothing. >That's great if you're a downstream provider with no transit customers. >However, when you become a transit provider, it becomes much more difficult >to determine inside vs. outside, since you're more in the middle between >two "outsides" that pass traffic through you. Use customer configurable filters. There is no excuse for becoming less responsible as you grow larger.
|