On 10/25/2016 08:26, Rich Kulawiec wrote:

On Fri, Oct 21, 2016 at 10:53:42PM -0700, Ronald F. Guilmette wrote:

...

Recent events, like the Krebs DDoS and the even bigger OVH DDoS, and today's events make it perfectly clear to even the most blithering of blithering idiots that network operators, en mass, have to start scanning their own networks for insecurities.

And start monitoring their own networks for *outbound* attacks. Too many people focus exclusively on inbound attacks, never realizing that every attack inbound to them is outbound from somewhere else.

What is it? 20 years? since the first time I was banned from NANOG for saying that the world would be a nicer place if EVERY true router refused to forward a packet whose SOURCE could not be reached from the port question. (May not be stated clearly, but idea seems simple enough: If the proposed ICMP message would not be routed to the port the packet came from, the best plan is probably to log the event and drop the ICMP and the rogue packet on the floor.) -- "Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." --Albert Einstein From Larry's Cox account.