|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Network Operators and smurf
99% of the people know that but how do you propose to relay that message to every NOC on the Internet. THAT is the problem. On Fri, 24 Apr 1998, Rusty Zickefoose wrote: :-----BEGIN PGP SIGNED MESSAGE----- : :Hi all, : :<rant> : If were reading this list on a professional basis, we should be a :little clued, or at least attempting to get there. We're in the big :leagues now, read up on CIDR, figure out classless subnetting. To :advocate breaking legitimate routing because we, as an industry, don't want :to put in the time and effort to educate our end users is just a little :lame. :</rant> : : Had to get that off my chest. : : Anyway, it's been said here several times before, but I'll say it :again. : : To end the smurf type exploits, we need to do 2 things. : :1. Routers/Gateways should be configured to prevent the transmission of :echo-request packets, out an interface, to a destination address identical :to the broadcast address of that interface, except in those cases where :specifically required. : : This means getting vendors to give us a knob, and having it :default to off. : :This is the easy one folks, figuring out net-masks aren't that hard. The :transit providers might have problems with implementing this due to :hardware meltdown, but that's not where it needs to be implemented. : : !!Educate your (our) users!! : : :2. Routers/Gateways should be configured to drop all packets with :invalid source addresses. : : This is a little bit more difficult, particularly if your :multi-homed, but again, it's not the transit providers that are need to :implement this, its the end user. : : once more : : !!Educate your (our) users!! : :No. 2 has the benefit of fixing all manner of ills. : :The problem is us. This isn't a research network run and maintained by :the knowledgable. This is a business. We're selling a product, and if we :expect it to operate as advertised, it's up to us to educate those we sell :it to. : : :This is Mr. Pot, saying so long to all you kettles out there. : :- -- :Rusty Zickefoose | The most exciting phrase to hear in science, :[email protected] | the one that heralds new discoveries, is not : | "Eureka!", but "That's funny ..." : | -- Isaac Asimov : :-----BEGIN PGP SIGNATURE----- :Version: 2.6.2 : :iQCVAwUBNUDlvu4+ch/bGDylAQGktAQAolKXogM3Gyr/Wp/AE1h6jZo6QQOTtOIU :ZkFUI+Dk7tKCoc6BPZ4VrsiPF1zslnQoIWwdceubl7kK+GwIyH4CTWtAyXGP+wr3 :6EHKiYfZ19P/Wvhi0Cjxo2buxYgpLCEHeKR4GUKwnJI66HlInemlUp4zDpMQFy8R :mNIdSK/Pw1k= :=/Dxy :-----END PGP SIGNATURE----- : -- Regards, Jason A. Lixfeld [email protected] iDirect Network Operations [email protected] --------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------
|