On Wed, Feb 09, 2000 at 12:20:22PM -0800, Dan Hollis wrote:
On Wed, 9 Feb 2000, Daniel Senie wrote:
I don't buy this. The wholesalers are allowing (requiring?) filters be added to block port 25 to all but the retail ISP's mail servers.
I dont buy it either, but when youre not their customer they dont have much incentive to lift a finger to stop denial of service attacks.
Its also the excuse they gave me why they couldnt be bothered to disable directed broadcasts, by the way. "We dont have enough cpu to filter them".
This is a total shield these days if anyone claims that. they either don't know how to manage their equipment, or have other serious issues. The only exceptions would be people who are entireley at the OCn speed, and then it gets more dificult to filter. Everyone comes down to at least 100M/sec (i guess, unless they're talking gig e) and more likeley down to 45M or 10M at some point. It's not that dificult to filter traffic. The problem becomes deploying it in an existing infrastructure. You don't want to break your existing customers. That's why it can sometimes take a few days to shut down an open relay. You have to determine who is allowed to use it and who is not. There is no excuse for directed broadcasts these days though.
I think all the tier1 networks need to seriously clean out the complacent dead wood and dust off the clue by four.
I agree, but I also understand that the job is not quite as simple as you state. I'm sure it would take a group of people a day or two to just do a single POP at a large provider. Many people would be easy to take care of because they have a single t1 or something, but once you're multihomed things become extremeley painful. My rule of thumb is that if you're not speaking bgp though, you can source filter easily, using the existing cisco knobs. (with your customer that is). I recommend that the contracts that the tier 1 providers write require that the people who they provide access to run a secure network, and list a 'security contact' before they will turn on services. it's fairly simple. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE |