|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Block all servers?
Didn't susan ask for this topic to move off-list? Anybody (no...not Merit) care to step up and create a nanog-issues list where such discussions can continue unmolested when the nanog topic police declare an important topic off-topic? I can understand how some operators might not want to hang out with the masses in spam-l or spam-tools, or waste their time with the noise and kooks in nanae. But these are some pretty serious problems and if we can't come up with solutions soon, the internet is pretty much totally screwed. See more below.... On Sat, 11 Oct 2003, Petri Helenius wrote: > Secondly, it�s very hard, if impossible to come up with a NAT device which > could translate a significant amount of bandwidth. Coming up with one to put > just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) So do the NAT closer to the edge. If you're providing DSL, do many of your customers use DSL modems plugged into their PCs (USB, PCI)?, or are you selling/leasing them DSL routers? In the very beginning, we either sold or gave PCI or USB DSL modems to our customers, but those were usually a PITA to support due to problems with windows, driver issues, hardware becoming unsupported when customers upgraded to the next version of windows, etc. Now, we only hook up DSL customers using DSL routers, and all the DSL routers we've ever used can do NAT, so there'd be no need to try to do NAT at the DSL agg router. I suspect we could selectively do NAT or not for dial-up customers on our access-servers...though I'm not sure how the very large (like AS5400, AS5800) units would fare trying to do NAT for several hundred dial-up sessions. But why all this talk of NAT? Even if we all universally deployed it on monday, it wouldn't solve the problem. All it would do is keep the spammer/hackers from turning grandma's PC into a web server/proxy. She can still catch tuesday's email virus which will cause her PC to hang out in some IRC channel or monitor some web page, and be remotely controlled for the purpose of sending spam, participating in DDoS floods...and now things just got much harder to track down. When you get complaints that a.b.c.d is participating in some kind of attack, how do you tell which of the dozens or hundreds of customers NAT'd to that IP is responsible/infected? ---------------------------------------------------------------------- Jon Lewis *[email protected]*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
|