[192339] in North American Network Operators' Group
Re: Death of the Internet, Film at 11
daemon@ATHENA.MIT.EDU (Larry Sheldon)
Tue Oct 25 19:56:53 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Larry Sheldon <larrysheldon@cox.net>
Date: Tue, 25 Oct 2016 18:54:22 -0500
In-Reply-To: <zpTN1t00W1cZc5601pTjGG>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 10/25/2016 08:26, Rich Kulawiec wrote:
> On Fri, Oct 21, 2016 at 10:53:42PM -0700, Ronald F. Guilmette wrote:
>> Recent events, like the Krebs DDoS and the even bigger OVH DDoS, and
>> today's events make it perfectly clear to even the most blithering of
>> blithering idiots that network operators, en mass, have to start scanning
>> their own networks for insecurities.
>
> And start monitoring their own networks for *outbound* attacks. Too many
> people focus exclusively on inbound attacks, never realizing that every
> attack inbound to them is outbound from somewhere else.
What is it? 20 years? since the first time I was banned from NANOG for
saying that the world would be a nicer place if EVERY true router
refused to forward a packet whose SOURCE could not be reached from the
port question. (May not be stated clearly, but idea seems simple
enough: If the proposed ICMP message would not be routed to the port
the packet came from, the best plan is probably to log the event and
drop the ICMP and the rogue packet on the floor.)
--
"Everybody is a genius. But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."
--Albert Einstein
From Larry's Cox account.
