-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Kim Onnel [mailto:karim.adel@gmail.com] Posted At: Monday, December 06, 2004 11:46 AM Posted To: NANOG Conversation: Blocking worms/ddos for customer for free? Subject: Blocking worms/ddos for customer for free?
Hello,
Currently, on our ingress, we block spoofed packets, common worms/trojans ports.
We do that for all of our customers(residential DSL, Dial-up, Corporate DSL, and the data center hosted websites/servers), however,
For me there are 2 ways to look at it, if i leave these worms to come in, they would consume our bandwidth and CPU, and on the other hand, it looks like we're giving a free service, which in a way uses up our resources,
Its the same for DDoS, if i stop it for a customer, i'm giving him a free a service, if i dont, its gonna wreck my network.
Personally, i block the illegitimate packets out of my network(egress) but thats because i owe this to the internet community, even if i am not getting paid for it.
I would like to know other providers policy about this?
Blocking spoofed packets (inbound and outbound) is certainly a good thing and, in my opinion should be done by providers across the board. Blocking worms/trojan/whatever ports starts to get a little more difficult. Mainly due to the fact that they often times use ports and protocols that are valid and blocking them breaks things that are required. At the risk of starting the whole "Microsoft stuff should be banned from the Internet rant" I'll use the example of ports 135-139. Some people block those ports and don't get too much grief from their customer base. Others that try to block them find that at least some portion of the customer base complains because they have something that relies on those ports to work. This leads many to choose the path of least resistance and not filter. The other challenge with filtering is that it can consume resources, in some cases more quickly than not filtering at all. If traffic levels are high enough filtering can melt down your router more quickly than not filtering. This obviously depends on a number of things and we are seeing vendors produce routers that can filter at line rate without impacting performance or just plain falling over. Those routers can be very expensive however and if someone isn't paying for that additional service it can be hard to justify upgrading to a new line card that runs an easy six figures just to become your customer's free firewall. Those two things said, we don't believe that we are our customer's firewall unless specifically contracted to perform that task. That insures that we are compensated for the resources consumed and that we all agree on what is or is not valid traffic. All to often we have found that valid traffic for one person is not valid traffic for another so "firewall rules" will vary from one customer to the next. DDOS inbound to your customer may or may not wreck your network and what looks like a DDOS attack can be valid traffic for some customers. I know that we handle it on a case-by-case basis with good customer communication before we take action, assuming it isn't wrecking the rest of our network. If it is wrecking our network then we subscribe to the "Sacrifice the one to save the many" philosophy and will stop the attack. DDOS outbound from your network is again something that you need to double check to insure that it really is a DDOS attack. In our case if we see something that we strongly believe to be an outbound attack or can verify as an outbound attack then we'll take action. Anomolous traffic gets investigated to see if it is an attack or if it is valid. That, to us, is just part of being a good net citizen and making sure our customers don't ruin someone else's day. Regards, Chad - ---------------------------- Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQbS/XU2RUJ5udBnvEQKY9ACdEDqM/PMlkKCokIgduKfQnvkHf3cAoN2B 40u2sItiQQdZ/xVChcXO1oTP =E0NF -----END PGP SIGNATURE-----