[61733] in North American Network Operators' Group
Re: On the back of other 'security' posts....
daemon@ATHENA.MIT.EDU (Scott Francis)
Wed Sep 3 17:08:25 2003
Date: Wed, 3 Sep 2003 14:07:43 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: Owen DeLong <owen@delong.com>
Cc: nanog@merit.edu
Mail-Followup-To: Owen DeLong <owen@delong.com>, nanog@merit.edu
In-Reply-To: <2147483647.1062340468@imac-en0.delong.sj.ca.us>
Errors-To: owner-nanog-outgoing@merit.edu
--VIT1Kna7lLfXMiZV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Aug 31, 2003 at 02:34:28PM -0700, owen@delong.com said:
[snip]
> What you are saying works only so long as none of your edge connections
> represent a significant portion of the internet. How do you anti-spoof,
> for example, a peering link with SPRINT or UUNET? It's not realistic
> to think that you know which addresses could or could not legitimately
> come from them.
another poster wrote that the spoofed traffic he was seeing was coming from
0.0.0.4 - 40.0.0.0 in .4 increments ... simple bogon filtering would get rid
of a good chunk of that space. Granted, it's a small subset of anti-spoof
filtering, but there are still networks out there that don't even make _tha=
t_
best effort.
If folks would simply make the best effort they could, given their situatio=
n,
the Internet as a whole would be a dramatically nicer place. That best effo=
rt
will vary greatly by situation, but even a partial attempt is better than
none at all.
--=20
Scott Francis || darkuncle (at) darkuncle (dot) net
illum oportet crescere me autem minui
--VIT1Kna7lLfXMiZV
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/VlgfWaB7jFU39ScRAqY7AJ90lMdVjNdyWs+6qA76OFsufZbgyQCfVMVz
HKRsMg39AGsXfrVIEGRkzxI=
=oOOu
-----END PGP SIGNATURE-----
--VIT1Kna7lLfXMiZV--
