[4306] in North American Network Operators' Group
Re: SYN floods continueg
daemon@ATHENA.MIT.EDU (Avi Freedman)
Wed Sep 11 16:35:40 1996
From: Avi Freedman <freedman@netaxs.com>
To: bruce@greatbasin.net (Bruce Robertson)
Date: Wed, 11 Sep 1996 16:30:30 -0400 (EDT)
Cc: nanog@merit.edu, generous@uucom.com
In-Reply-To: <199609112020.NAA29101@owl.greatbasin.net> from "Bruce Robertson" at Sep 11, 96 01:20:14 pm
I was talking about a different filter.
The one I listed was designed to prohibit someone at an exchange point
from using our network for transit.
I agree, you'd want to do what you describe to prevent IP spoofing.
Avi
> >>>>> "Avi" == Avi Freedman <freedman@netaxs.com> writes:
>
> Avi> This is actually an incoming filter...
> Avi> acc 102 permit ip any 198.138.103.0 0.0.0.255
>
> Ummmm.... disclaimer, I'm not an expert on this, but according to my
> understanding of how Cisco access lists work, the incoming filter you
> showed actually does nothing at all. The normal situation is that
> packets are coming in from random addresses, destined for your
> internal network. There is nothing in this filter that prevents your
> own source addresses from being spoofed outside your border.
>
> It seems to me that you want something more like this, which is what
> we have in place:
>
> acc 102 deny ip 198.138.103.0 0.0.0.255 any
> ...
> acc 102 permit any any
>
> It seems to work for us. Please let me know if I'm missing something here!
>
> --
> Bruce Robertson, President/CEO
> Great Basin Internet Services, Inc.
> +1-702-348-7299 fax: +1-702-348-9412
>
