-- Jason Slagle - CCNP - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows On Wed, 28 Mar 2001, David Schwartz wrote:
I'll go one further -- if you're not going to investigate suspicious traffic (because it's too expensive or you're too lazy or whatever), it's probably better that you filter than not. At least that way you might minimize the damage done to others, and that's certainly a good thing.
I don't have a problem with filtering traffic that can't possibly be legitimate. If you're one of those people who agrees that packets with RFC1918 source IPs have no place on the Internet, then filter that. You can even advocate that others filter it, because it has no possibility of blocking legitimate traffic.
What I do oppose is militant filtering advocacy where those filters will filter out legitimate traffic. ISP's should not feel coerced into "erring on the side of security" by filtering their customer's possibly legitimate traffic when there are reasonable alternatives. In this case, there is -- allow, analyze, follow up, filter if and where neccessary.
Thats all well and good if you are going to have someone monitor the logs of these packets 24x7, but if you have a customer get hacked and start spewing shitloads of spoofed sourced packets at various networks (Insert your favorite DDOS Drone here), then the damage is high, immediate, and done by the time you notice it in most cases. Jason