At 03:31 AM 4/14/98 -0600, Forrest W. Christian wrote:

On Tue, 14 Apr 1998, Hank Nussbacher wrote:

...

All outgoing pkts to 220.88.192.128/27 now should go to Null0. I am sure one can improve on the logic even more.

Exactly. All OUTGOING packets. Not Incoming. Not the smurf attack packets which are swamping your downstream customer, which have a source address from 220.88.192.128/27.

My textual mistake - this snippet is to send pkts to dev/null for all pkts *sourced* from 220.88.192.128/27. -Hank

I will concede that shutting off connectivity to a site by a large enough chunk of the net should get someone to fix stuff.... But part of the advantage of the MAPS RBL BGP feed is that it helps to cut down spam coming into your network. A BGP feed TODAY won't block a ping amplification attack aimed at your network or a downstream. All it will do is prevent your customers from using the ping amplification networks to launch an attack. And, if you have the appropriate anti-spoofing filters in place, they shouldn't be able to attack anything other than the valid source addresses you have in your outbound filter set.

- Forrest W. Christian (forrestc@imach.com) ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------