[lir-wg] AS Number Policy

Previous message: [lir-wg] AS Number Policy

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pekka Savola pekkas at netcore.fi
Thu Jul 11 20:11:26 CEST 2002

On Thu, 11 Jul 2002, Kurt Erik Lindqvist wrote:

> 
> > If the ISP doesn't do ingress filtering from the direction of the
> > customer, it will be done somewhere in the internet anyway.  Is it not
                                                                       ^^^
> > _better_ for the customer to get the block immediately (e.g. in the case
> > of misconfigured addresses), rather than have to wait for someone distant
> > to do it.  They won't be getting return packets _anyway_...

Oops, I made a drastic typo when editing the message.  Cut off that 
'not', so we agree.

> Well, if all those packets get filtered somewhere else in the network, that 
> part has surely never been in the path to the networks I worked for. We 
> have always seen DoS attacks with forged source addresses.

We perform additional form of filtering at our border routers to upstreams
and peerings (for ingress, check that our addresses are not listed; for
egress, we drop packets with private and other martian addresses just to
be sure).

This does not, naturally help with identifying spoofed DoS attacks 
reliably.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

Previous message: [lir-wg] AS Number Policy

Next message: [lir-wg] AS Number Policy

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ lir-wg Archives ]