[14501] in North American Network Operators' Group
Re: Things to do to make the network better
daemon@ATHENA.MIT.EDU (Pete Ashdown)
Mon Jan 5 13:03:51 1998
From: Pete Ashdown <pashdown@xmission.com>
To: nanog@merit.edu
Date: Mon, 5 Jan 1998 10:55:28 -0700 (MST)
Owen DeLong said once upon a time:
>> I will also point out that many of the recent "smurf" attacks and
>> similar problems people are having on the net would be gone if people
>> would just carefully filter internal/external addresses on their
>> border machines, that is, prevent packets claiming to be from "inside"
>> networks from coming in from the "outside", and prevent packets
>> claiming to be from "outside" networks from going out from the
>> "inside". The latter will stop your network from *ever* being the
>> source of a wide variety of packet forgery attacks, and is necessary
>> to being a good network citizen. The former will stop your network
>> from being the subject of a wide variety fo packet forgery attacks,
>> and is necessary to make your customers even remotely safe on the net.
Expecting everyone else to do the right thing is the wrong way to solve the
problem. 99% of everyone else will always do the easiest thing, which is
nothing.
>That's great if you're a downstream provider with no transit customers.
>However, when you become a transit provider, it becomes much more difficult
>to determine inside vs. outside, since you're more in the middle between
>two "outsides" that pass traffic through you.
Use customer configurable filters. There is no excuse for becoming less
responsible as you grow larger.
