On Sun, 13 Jul 1997, Michael wrote:
Then couldn't the net also be a nicer place if the 'customer' filtered their outbound packets? Of course this involves trusting the engineer's of the downstream network to actually DO the filtering.
Obviously my previous posts were too simple and people didn't get the message...some even flamed me. In the cases where the customer runs the router at their site, this would be a likely place for filters to be installed. NSP's should require these customers to either have such filters on their routers, or if appropriate, on their customer's routers. For really big ISP's, they should require that their customers customers run with such filters, and so on. There should be clear rules and policies dealing with this...not just an unwritten "you really shouldn't do that". The thing that bugs me the most about FDT's 72 hours of UDP attack is that it almost certainly came from the admin of some well connected site or from a colo box somewhere. Unless I'm mistaken, forged UDP requires root access and (at the volume we received) was likely from a host with T1 or better connection to the net. This site, or its NSP (if the NSP provides/maintains the customer router) obviously runs no filters to prevent forged addresses from leaving their network. For example Sprint/Centel provides a T1 and Cisco 2501 in FDT's Tallahassee office (this wasn't my idea). This is a 2501 with an ethernet connection, only one serial port in use, and nothing else. It has the ability to run with a filter like: access-list 101 permit ip 199.44.96.0 0.0.7.255 0.0.0.0 255.255.255.255 without affecting performance in any measurable way, but Sprint/Centel _refused_ to install even that basic a filter, claiming their policy is "we don't filter". With attitudes like that in NSP's, it's amazing FDT's main office went about 2.5 years without a serious DoS IP attack. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ________Finger jlewis@inorganic5.fdt.net for PGP public key_______