Brandon Ross wrote:
We don't ask our vendors to provide equipment with directed broadcast turned off by default for our own use or use by any clueful operator. The reason we require directed broadcast to be turned off by default is so that when a less-than-clueful operator gets a hold of the same box, they don't become yet another smurf amplifier that ends up being used to attack us. If and when I have the leverage with a vendor to get this implemented, I use it, every single time.
and also wrote:
Yes, but, do you have any idea how many tech support calls would be generated by our customers complaining that they can't ping or be pinged? Our service is advertised as unrestricted Internet access. Our customers rightfully expect to be able to ping out as well as be pinged. If we blocked all echo throughout our network, we would be completed flooded with technical support calls. Doing something like this, similar to the serveral suggestions to filter all .0 and .255 addresses, is an attempt to fix the symptom instead of the real problem.
Filtering .0 and .255, or filtering echos or ICMPs, are all indeed a form of "fixing" the symptom. These things are being done because fixing the cause isn't practical. But what is the cause? Is it that kids with scripts will attack and try to bring down an IRC server or the network that hosts it? Or is it that they have the scripts in the first place? Or is it that they are using networks that allow them to do this in the first place? Fixing the kids heads, I'm sure we all agree, would be the correct solution. But I don't believe this is really practical or possible. So what should be done is to make it so that they have no effect. The cause of burglaries and thefts is bad people. So we put up fences and iron gates, install TV cameras in convenience stores, hire more security guards and police officers, enact laws with longer criminal sentences. But all of this is technically addressing the symptom of the problem. However, doing so is often the only practical way. So my position is that until we do have a practical solution to solve the cause of the problem, we simply have to deal with the effects the best we can, and this does mean dealing with and addressing the symptoms so that we do not suffer the effects. The question is just what steps are the ones we should do. I admire Mindspring's position of making Internet access unrestricted. But what is the real motivation? Is it the goal of "perfect IP" or is the business case of decreasing tech support costs? They are, afterall, in the business of providing consumer dialup access, and as we all know that line of business is very costly in areas of tech support. Network attacks are also a real cost. I would suggest that treating some of the symptoms, at least for now, will cut some costs until the day that we can achieve the utopian goal of the perfect solution to the cause. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --