This is not a nice thing to do to a router, especially while the router is trying to keep up with 50 other customers... And if more than 1 customer wants this type of service, you start really feeling the load.
I'm not saying UUNet should install whatever filters I want on their routers. I'm just saying the net would be a MUCH nicer place if NSP's all did ingress filtering on their customer connections. If current routers can't handle the load this would create, then NSP's need to find vendors willing to deliver the necessary power, or they need to rethink the way they design their networks.
Then couldn't the net also be a nicer place if the 'customer' filtered their outbound packets? Of course this involves trusting the engineer's of the downstream network to actually DO the filtering. Why have an NSP drop several customers off of the net because of one pre-pubescent ping flooder, when the offending customer himself can be dropped (unless his network is administered by pre-pubescent ping flooders) and not affect anyone else? Michael
On Sun, 13 Jul 1997, Michael wrote:
Then couldn't the net also be a nicer place if the 'customer' filtered their outbound packets? Of course this involves trusting the engineer's of the downstream network to actually DO the filtering.
Obviously my previous posts were too simple and people didn't get the message...some even flamed me. In the cases where the customer runs the router at their site, this would be a likely place for filters to be installed. NSP's should require these customers to either have such filters on their routers, or if appropriate, on their customer's routers. For really big ISP's, they should require that their customers customers run with such filters, and so on. There should be clear rules and policies dealing with this...not just an unwritten "you really shouldn't do that". The thing that bugs me the most about FDT's 72 hours of UDP attack is that it almost certainly came from the admin of some well connected site or from a colo box somewhere. Unless I'm mistaken, forged UDP requires root access and (at the volume we received) was likely from a host with T1 or better connection to the net. This site, or its NSP (if the NSP provides/maintains the customer router) obviously runs no filters to prevent forged addresses from leaving their network. For example Sprint/Centel provides a T1 and Cisco 2501 in FDT's Tallahassee office (this wasn't my idea). This is a 2501 with an ethernet connection, only one serial port in use, and nothing else. It has the ability to run with a filter like: access-list 101 permit ip 199.44.96.0 0.0.7.255 0.0.0.0 255.255.255.255 without affecting performance in any measurable way, but Sprint/Centel _refused_ to install even that basic a filter, claiming their policy is "we don't filter". With attitudes like that in NSP's, it's amazing FDT's main office went about 2.5 years without a serious DoS IP attack. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ________Finger jlewis@inorganic5.fdt.net for PGP public key_______
participants (2)
-
Jon Lewis -
Michael