[24702] in North American Network Operators' Group
Re: SYN spoofing
daemon@ATHENA.MIT.EDU (Ron Buchalski)
Tue Aug 3 11:39:23 1999
From: "Ron Buchalski" <rbuchals@hotmail.com>
To: randy@psg.com, jshaw@insync.net
Cc: John.Fraizer@EnterZone.Net, goemon@sasami.anime.net,
bandregg@redhat.com, nanog@merit.edu
Date: Tue, 03 Aug 1999 08:33:59 PDT
Errors-To: owner-nanog-outgoing@merit.edu
>From: Randy Bush <randy@psg.com>
>To: Joe Shaw <jshaw@insync.net>
>CC: John Fraizer <John.Fraizer@EnterZone.Net>,Dan Hollis
><goemon@sasami.anime.net>, bandregg@redhat.com,nanog@merit.edu
>Subject: Re: SYN spoofing
>Date: Mon, 2 Aug 1999 17:09:55 +0200 (CEST)
>
>
> > How hard is it really to put a filter on your outbound links that says
> > drop all ip traffic heading out these links that isn't from my IP space?
>
>trivial. only one gotcha. if it is a backbone router, it will fall over
>dead. beyond that, not a problem.
>
>backbone level traffic can not be packet filtered by current real routers.
>but we've had this discussion a few times already.
>
>randy
>
Which is why it's more scaleable to do packet filtering at the edge, and
leave the core to do what it does best...switch packets.
-rb
_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
