North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN spoofing
Right, but ISPs can still filter on the corporate networks and at the aggregation points for DSL and dial and any non-bgp customer. Those talking BGP to you should be encouraged to do similarly. The full thing is like next to impossible to maintain but doing these kinds of relatively stady-state bits and pieces can help. > On Wed, 28 Jul 1999, Greg A. Woods wrote: > > > > > [ On Wednesday, July 28, 1999 at 11:21:35 (-0400), Daniel Senie wrote: ] > > > Subject: Re: SYN spoofing > > > In fact it's easy to buy off-the-shelf hardware today that can do > > wire-speed filtering, assuming one has worked such costs into the budget > > of building a network backbone.... > > It is possible to do access filtering on the edges. Then comes the > operational aspects of actually making such a thing scale across many many > edge devices, especially when there are customers with their own space, > and who may have customers behind them with _their_ own space. If a > promising local isp is providing transit to a bunch of other local isps, > changing every access-list on every edge node every time one of the > customer isp's adds or deletes a customer, becomes a logistical nightmare. > > Some promising local isp's are then faced with blowing out huge > access-lists virtually every hour of the day, and this becomes harder to > manage when you take into accounts and now you have several tens of > promising local isps all trying to match access-lists all around. Not to > mention the actual physical limits on current hardware regarding the size > of configurations. > > > /vijay > > > > ---------------------------------------------------------------------- Wayne Bouchard Frontier GlobalCenter [email protected] Network Engineer (602) 416-6290 800-373-2499 x6290 FAX: (602) 416-6111 http://www.globalcenter.net ----------------------------------------------------------------------
|