North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Internet SYN Flooding, spoofing attacks

  • From: Paul Ferguson
  • Date: Fri Feb 11 21:42:08 2000

At 09:27 PM 02/11/2000 -0500, Vijay Gill wrote:

IETF removed from the distribution list.
Thank goodness.

More:

I think you're solving something else.  I submit that almost _all_ isp's
offer transit for their customers.  Thats where the I part of the SP comes
in.  For _peering_ links (peering being defined elsewhere), yes, this is a
hard problem, but on the edges of the _peers_, this is not.  If everyone
filtered their T1/DSx/OCx/E1/E3/STMx customers at their edges, using
Unicast RPF where appropriate and filters where appropriate, life would
become better.
Okay. Let's look at this simplistic situation. Perhaps I'm missing
something.

A   B
 \ /
  C
  |
  D

ISP C might be carrying traffic for B which might destined via
ISP A (or traverse C). In some cases, for packets coming through
C from B, C may not have a reverse path back through B for that
packet. It might have a better path elsewhere.

D is a "Joe's Bait'n'Sushi Shop" ISP.

C might have some problems doing Unicast RPF, but it certainly
wouldn't have problems doing RFC2267-style filtering on it's
access link to D; likewise ther might be many "mini" connections
from C to other smaller downstream customers. THAT is where this
filtering needs to occur.

- paul