At 01:28 PM 5/28/98 -0400, you wrote:
Who *does* do ingress filtering? I have it on our border routers and customer connect ports. We have transit from MCI and UUNET. Neither has ingress filters -- see below message from MCI on this.
We do ingress and egress filtering. It's just a matter of keeping people on both sides of the border router from spoofing either by mistake or maliciously.
The result of course is that spammers and other bad guys can try to attack your systems with forged source IP addresses. Random strange people in the 'net send "NETBIOS name service" (port 137) packets to my unix mail relay, which of course ignores them.
The NETBIOS name service comes from Winblows machines. I would venture to guess that your mailserver also has a resolver running that is also most likely authoritative for your or someones domain. Either that or you are specifying that resolver via radius to your dialup clients. When a Winblows box does a DNS lookup, for some reason, it will also send a NETBIOS name service request thinking that there is a WINS resolver living at the same IP. It's just another example of MS doing very strange things. (Read: They don't know $h!t about IP and show it regularly!) The dialup provider that these requests is originating should be filtering port 137 on egress to prevent it from making it to the global internet. Then again, we should all be egress and ingress filtering, filtering ICMP to our broadcast and network addresses and sending money to our favorite charity too. No matter how much we harp, there will be idiots with the keys to the router cabinets who just won't do the right thing. ------- John Fraizer (root) | __ _ | The System Administrator | / / (_)__ __ ____ __ | The choice mailto:root@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...