|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Yahoo! Lessons Learned
At Tuesday 11:01 PM 2/8/00 , Daniel Senie wrote:
>Please refer to RFC2644/BCP34 on the subject of directed broadcasts.
>This RFC recommends router vendors disable directed broadcasts by
>default. It also recommends ISPs disable directed broadcast on ALL
>routers. In light of the recent events, it would be good to see a
>concerted effort made by everyone to ensure this has been done.
I recall that SprintLink had some, uhm, plans to put ingress (and
egress?) filters on all interfaces facing dedicated customers that
were not multi-homed. This came after realization that education of
the end-user was a fruitless and herculian task: Network smarts
are virtually non-existent in IT departments, and even loads of
smaller ISPs everywhere. Whatever became of this project ?
At what traffic level (across the entire box) do Cisco 7{0;2;5}00
routers with RSP{2;4} cards fall over and die because of CPU load?
>Of course as Paul has mentioned, we wrote RFC 2267 several years ago to
>address this very issue. I strongly encourage folks to take a hard look
>at ingress filtering. Hardware vendors have implemented features in
>dialup servers and routers which can help.
Without wanting to bash my favorite NAS vendor: I have asked for
'ip verify unicast reverse path' in their boxes as much as
2+ years ago. They recently admitted to having no record of this
request, and it has just now become a request for engineering.
Vendors do not have their focus on security, just like most
everyone else in the Internet "industry". Skating on thin ice
has a price...
>While implementing these measures may not directly benefit your network,
>doing so may thwart an attack against someone else's net. Tomorrow, the
>roles could be reversed. As with many areas of managing the Internet,
>cooperation is key.
Like the kind of cooperation that is making people close their open SMTP
relays voluntarily because closed relays are A Good Thing <tm> or
are a BCP? That always and only worked with threats of loss of connectivity
or humiliation through public exposure. Some networks have taken it upon
themselves to shield their customers from such well-deserved scrutiny
from the outside (Hi Dave!).
Nothing will change until Yahoo decides that the legitimate operators of
the Trinoo/Tribe/whatever slaves have acted with reckless neglect by not
keeping their system secured with vendor-issued patches.
But when they do, duck and cover for the wave of lawyers hitting like an
Ion-storm.
bye,Kai
|