North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Things to do to make the network better
Owen DeLong writes: > > I will also point out that many of the recent "smurf" attacks and > > similar problems people are having on the net would be gone if people > > would just carefully filter internal/external addresses on their > > border machines, that is, prevent packets claiming to be from "inside" > > networks from coming in from the "outside", and prevent packets > > claiming to be from "outside" networks from going out from the > > "inside". The latter will stop your network from *ever* being the > > source of a wide variety of packet forgery attacks, and is necessary > > to being a good network citizen. The former will stop your network > > from being the subject of a wide variety fo packet forgery attacks, > > and is necessary to make your customers even remotely safe on the net. > > That's great if you're a downstream provider with no transit customers. > However, when you become a transit provider, OF COURSE this is mainly a "leaf network" thing, not a thing for transit networks. Large providers serving "leaf networks" with well defined connection points to them *can* do some filtering -- in particular, they can refuse to pass packets to a network claiming to originate from within it, and they can refuse to accept packets from a network claiming not to come from within it. That is not, of course, the true transit network case. Extensive filtering *will* reduce the denial of service attacks of this sort we are getting. They can never eliminate them, but they *will* help. I cannot urge strongly enough that people start implementing this sort of filtering as soon as possible. Perry
|