[4348] in North American Network Operators' Group
Re: SYN floods (was: does history repeat itself?)
daemon@ATHENA.MIT.EDU (Justin W. Newton)
Fri Sep 13 10:41:40 1996
Date: Fri, 13 Sep 1996 10:51:14 -0400
To: Alexis Rosen <alexis@panix.com>, amb@xara.net (Alex.Bligh)
From: "Justin W. Newton" <justin@erols.com>
Cc: freedman@netaxs.com, stpeters@netheaven.com, nanog@merit.edu
At 04:37 AM 9/13/96 -0400, Alexis Rosen wrote:
>Alex.Bligh writes:
>> I think you are talking about filtering inbound packets to your
>> router and restricting them to BGP announcements (I don't
>> think Avi was - see below). This would be done on the destination
>> address (checking it was within your announced route set) and
>> thus doesn't help protect against spoofed source addresses.
>
>No, Justin's talking about filtering _customers'_ packets at Justin's
>border with the customer. No BGP involved. This assumes customers that
>are not providers (ie, no transit for other nets through the customer).
>Good enough if all providers do the right thing (or if almost all do).
>
>What Justin meant about his BGP announcements was that a customer's
>packet is legal IFF Justin's announcing that packet's net by BGP (on
>_behalf_ of the customer, not _to_ the customer). Again, customer means
>a site that's not a BGP peer.
Actually what Justin was talking about is as follows...
Justin will only allow packets out of his border routers /to/ peers if they
are packets with a source address inside the ranges of addresses he
announces via BGP. I.e. if I announce 192.1.1.0 0.0.0.255 I would allow a
packet with an address of 192.1.1.1 out of my network into "the net at
large" but not if the packets source address was 192.1.2.1. I will allow
any packet which I allow to enter my network into a customer's network.
Their filtering is their problem.
Justin Newton
Internet Architect
Erol's Internet Services