It is more of a case of at all. My associates feel that if a downstream ISP pissed someone off, it is their problem to solve, not ours. We do filter traffic not destined for our IP space at our borders, but, for the same reasons you stated, do nothing outbound, except on our BGP sessions where we don't want certain netblocks routed in the Internet. My concern is, if a perpetrator is persistent enough, he can write a ping flood program that uses some obscure ICMP type that is rarely used, say net-tos-redirect, and get in that way. Even if we were to block ICMP completely, which would take away source-quench, he could use UDP, or perhaps even TCP syn floods and the like to get at this guy. Either way, it is a difficult situation. Moreover, it is difficult to trace this stuff back through, because I have to get every ISP, NSP, etc, etc involved in order to trace spoofed IP addresses. Ho do you block spoofed IP addresses? I am already blocking ICMP redirects and IP source routed packets. Is there a better way, or should I just tell my customer to deal? I want to prevent this from consuming my bandwidth as well. Thanks! -Chris Deepak Wrote Are you trying to avoid a precedent of filtering at all or just filter at a whim? I don't think its really possible nowadays to be responsible and not do _any_ filtering. I'd love to be able to not, but sometimes we have to. We also block source routed packets at our borders. We filter all inbound traffic to make sure it is destined for IPs that we route for (we can't filter outbound both by policy and technical difficulty). -Deepak. On Wed, 25 Mar 1998, Martin, Christian wrote:
That is what I am going to do. But with over 100 downstream customers, and IOS 11.1 (sans named access lists) I don't want to start a precedent.
Thanks!
On Wed, 25 Mar 1998, Jain Depak Wrote
Why not just filter all ping traffic to his T1 until the attack subsides?
-Deepak.
On Wed, 25 Mar 1998, Martin, Christian wrote:
Hello All,
I have a customer who is being ping-flooded. His bandwidth is being sucked up due to these floods, and wishes me to block them on my router. I am somewhat reluctant to do this, since it goes against our policy; however, the customer has been very patient with us on this issue and his patience is running out.
I would be implementing on a Cisco 7507, with 3 T-3s to the Internet, and the customer hangs off the router on a T-1. What is the general consensus on providing such a service, particularly in terms of processing overhead and manageability. Is there another way to prevent this type of attack, aside from watching packets go by and trying to trace it back through the source. The source IPs are spoofed.
Thanks! Christian Martin