On Fri, 11 Jul 1997, Jon Lewis wrote:
Why is it that the NSPs I've encountered refuse to do any sort of sanity filtering on their customer connections? i.e. If UUNet knows that FDT has only 205.229.48/20 and 208.215.0/20, why should they let me send traffic through their network with random source addresses?
FDT has been the target of forged source address UDP attacks for the past 2 days. It's all being stopped at our router that takes our UUNet T1, but the extra T1 traffic is causing UUNet's usually unreliable network to be even less reliable, and we've lost connectivity to UUNet several times this evening.
Its not feasible to filter packets on customer gateway routers. When you impose a packet filter on a GW router customer interface, all packets destined to that customer have to be matched to an access-list and then forwarded down the pipe or dropped. This increases the load on the router CPU, because it is used to switching the packets. Now you have to analyze each packet which takes up CPU time. This is not a nice thing to do to a router, especially while the router is trying to keep up with 50 other customers... And if more than 1 customer wants this type of service, you start really feeling the load. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ice9@paranoia.com http://www.paranoia.com/~ice9 My opinion may not reflect that of any living person, but its the only one that counts!! main() {for(;;fork());} =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=