[129358] in North American Network Operators' Group
Re: ISP port blocking practice
daemon@ATHENA.MIT.EDU (William Herrin)
Fri Sep 3 11:24:22 2010
In-Reply-To: <3A97A2BA-C9FE-4554-908D-AD3986CC3E1B@senie.com>
From: William Herrin <bill@herrin.us>
Date: Fri, 3 Sep 2010 11:23:00 -0400
To: Daniel Senie <dts@senie.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Sep 2, 2010 at 11:04 PM, Daniel Senie <dts@senie.com> wrote:
> Ingress filtering is the correct tool for the job.
Not really. Ingress filtering only ever protected you from being the
source of spooding attacks, not the destination. The point of Zhiyun's
results is that it doesn't fully protect you from being the source
either.
Frankly, Zhiyun offers the first truly rational case I've personally
seen for packet filtering based on the TCP source port. You should
give his work more careful scrutiny.
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
