North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Things to do to make the network better
>I will also point out that many of the recent "smurf" attacks and >similar problems people are having on the net would be gone if people >would just carefully filter internal/external addresses on their >border machines, that is, prevent packets claiming to be from "inside" >networks from coming in from the "outside", and prevent packets >claiming to be from "outside" networks from going out from the >"inside". The latter will stop your network from *ever* being the >source of a wide variety of packet forgery attacks, and is necessary >to being a good network citizen. The former will stop your network >from being the subject of a wide variety fo packet forgery attacks, >and is necessary to make your customers even remotely safe on the net. I strongly recommend such filtering in sections 5.7 and 5.8 of my "Security Expectations for Internet Service Providers" draft ftp://ds.internic.net/internet-drafts/draft-ietf-grip-isp-02.txt and we've heard Paul plug ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt here many times. To answer Owen comments regarding the difficulty of filtering for transit providers, I argue that filtering should happen as close to the actual hosts as possible. Tom. -- Tom Killalea (425) 649-7417 NorthWestNet [email protected]
|