On Thu, 16 Jan 2003, hc wrote:
Normally that's not very productive as they are mostly owned boxes that will be rebuilt and reowned in days :(
I agree, keeping track of the attacks would not be very useful nor helpful. I bet if more ISP's would implement egress filtering on their border routers, it'd help quite a bit. Of course, egress filters don't solve the issue. But considering most script kiddies' intelligence level
Egress filters are a distraction... today you don't have to spoof. These are the red herring of 'security'. THOUGH, all that said, having all networks, CUSTOMER NETWORKS, filtered as close to end systems as possible would be a nice thing :) As Rob Thomas points out 80% (or some huge number) of attacks are spoofed source attacks. Every leaf network should be able to do the minimum urpf strict on all ether or gig link... that way you don't even have to take the hit of a acl to process the inbound traffic :) This is most definitely best done as close to the end machines as possible though, the traffic loads there are just much more managable... and it reduces the possible spoofage to the lowest limit possible.
is limited, it will help at least a bit. :-) The problem with egress filtering is that it's mostly applicable at the end tier2+ level, not at the backbones, which means a lot of ISP's who are oblivious on what it is (or some cases where egress filter breaks their network setup).
Hmm, but the smaller the network the easier to filter it is... right?