|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ingress filtering
The great thing about the CC images released by cisco (as long as you're running with ip cef or ip cef dist), you can turn this neato command on your interfaces to your customers: ip verify unicast reverse-path This automatically does filtering based on your local routers routing table. This means you can take a customer connection and filter them. You will encounter problems if they are multihomed and have netblocks that you don't route directly to them, but you can make those changes later as they multihome. We've had a few problems with our customers and doing this, when we don't route all their address space, but this is easily fixed. Asymetrical routing is an evil you have to live with and adjust to, so if you have more than one upstream, I would not apply such filters to those interfaces. I would recommend that everyone who has the ability to do this on their routers do so. This will help many possible problems. If we can get enough people to make this part of their default configuration (such as no ip directed-broadcast is these days) on their ports to customers, we could prevent many DoS attacks. If you have dialup lans (ie: mci, uunet, etc.. who have big public dialup pools) PLEASE filter these, as well as the smaller providers out there. - jared > > On Thu, 28 May 1998, Mr. Dana Hudes wrote: > > > > > Who *does* do ingress filtering? I have it on our border routers > > > and customer connect ports. We have transit from MCI and UUNET. > > > Neither has ingress filters -- see below message from MCI on > > > this. > > > > > > Subject: Re: RFC1918 addresses from MCI > > > Date: Thu, 28 May 1998 08:16:23 -0700 > > > From: [email protected] > > > To: [email protected] > > > CC: [email protected] > > > > > > Mr. Hudes, > > > > > > > > > Thank you for your note. MCI does not currently source filter > > > address > > > space at it's ingress points. Addresses sourced from > > > non-routable or > > > invalid addresses are not blocked or filtered. Addresses > > > destined to > > > non-routable addresses spaced are not routed. > > > > > > If you think it is a security issue and it is on-going then > > > please > > > contact us with the target address so we can investigate. -- Work: [email protected] - We Make The Internet Work for Your Business 9-5pm(ET) 800 637 4424x2634 - 24x7 NOC - 800 424 3223 pgp key available via finger from jared[email protected]
|