[61583] in North American Network Operators' Group
Re: What do you want your ISP to block today?
daemon@ATHENA.MIT.EDU (Jack Bates)
Sat Aug 30 12:35:56 2003
Date: Sat, 30 Aug 2003 11:30:57 -0500
From: Jack Bates <jbates@brightok.net>
To: Rob Thomas <robt@cymru.com>
Cc: Sean Donelan <sean@donelan.com>, NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.56.0308292156120.16842@dragon.sauron.net>
Errors-To: owner-nanog-outgoing@merit.edu
Rob Thomas wrote:
> Oh, good gravy! I have a news flash for all of you "security experts"
> out there: The Internet is not one, big, coordinated firewall with a
> handy GUI, waiting for you to provide the filtering rules. How many
> of you "experts" regularly sniff OC-48 and OC-192 backbones for all
> those naughty packets? Do you really want ISPs to filter the mother
> of all ports-of-pain, TCP 80?
Yes. While I hate to admit it, the one thing worse than not applying
filters is applying them incorrectly. A good example would be the icmp
rate limits. It's one thing to shut off icmp, or even filtering 92 byte
icmp. The second one rate-limits icmp echo/reply, they just destroyed
the number one network troubleshooting and performance testing tool. If
it was a full block, one would say "it's filtered". Yet with rate
limiting, you just see sporatic results; sometimes good, sometimes high
latency, sometimes dropped.
Filter edges, and if you apply a backbone filter, apply it CORRECTLY!
Rate-limiting icmp is not correctly.
-Jack
