[70974] in North American Network Operators' Group
RE: Real-Time Mitigation of Denial of Service Attacks Now Available
daemon@ATHENA.MIT.EDU (Pekka Savola)
Thu Jun 3 02:55:47 2004
Date: Thu, 3 Jun 2004 09:55:11 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: nanog@merit.edu
In-Reply-To: <DD7FE473A8C3C245ADA2A2FE1709D90B0DB187@server2003.arneill-py.sacramento.ca.us>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 2 Jun 2004, Michel Py wrote:
> > Jon R. Kibler wrote:
> > IMHO, there is absolutely no excuse for not doing ingress and
> > egress filtering. In fact, if you are an ISP, I would argue
> > that you are negligent in your fiduciary responsibilities to
> > your customers and shareholders if you are not filtering
> > source IP addresses.
>
> Hey, I'm all for it. Where's the money and the staff?
set routing-options forwarding-table unicast-reverse-path feasible-paths
set interfaces yy-x/x/x unit 0 family inet rpf-check
What else do you need?
Or did you buy crap that doesn't support (good) uRPF, or even doesn't
support (line-rate) filtering? Change the vendors and filter at your
core connecting those crappy boxes then.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
