North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: FW: Re: Is there a line of defense against Distributed Reflectiveattacks?
On Sun, 19 Jan 2003, Avleen Vig wrote: > On Sun, 19 Jan 2003, Christopher L. Morrow wrote: > > > > you could partly get around this by blocking all 'SYN' packets going to > > > your customers :-) > > > > and we are hoping none are hosting webservers or mail servers or.... > > right? Oh wait! I'll just make them use my datacenters, right?? or were > > you not talking about the attacks? > > I was refering specifically to end user workstations. For example home > machines on dial up or broadband connections. > A lot of broadband providers already prohibit running servers and block > certain inbound ports (eg 21 and 80). > *shrug* just seems like it would make more sense to block all incoming > 'syn' packets. Doesn't this stop kazaa/morpheus/gnutella/FTP/<some aim stuff like private chats>? This is a problematic setup, and woudl require the cable modem provider to maintain a quickly changing 'firewall' :( I understand the want to do it, but I'm not sure its practical to see it happen based solely on the hassle factor :( Hmm, security, "you gotta pay to play" (Some famous man once said that I believe) > Wouldn't that be faster than inspecting the destination port against two > seperate rules? > > I don't know how these operators do their blocking.. >
|