North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Implementing anti-abuse techniques on ISP networks....
- From: Christopher Masto
- Date: Fri Aug 08 23:22:51 1997
On Thu, Aug 07, 1997 at 09:42:35AM -0700, Michael Dillon wrote:
> >Operational question: will a Livingston Portmaster allow source IP
> I presume that's the reason why people posted the Livingston filter rules
> at http://www.mtiweb.com/isp/livfilter.html
> There are other links regarding this topic in the "Security" section at
> Encourage your customers to implement these filters and encourage your ISP
> customers to get their customers to implement these filters...
I guess people don't read these threads very carefully.
Initally, someone said that ISPs should prevent their dial-up
customers from getting to port 25 on any machine other than the ISP's
I said that, _aside from filtering spoofed IPs_ we don't do any
blocking, and I don't think we should.
Someone then gave the example of spoofing another IP on the ISP's
network. This is not blocked by standard anti-spoofing rules, since
the fake source IP is inside the network it's coming from.
I clarified that this doesn't have anything to do with the port 25
question, and wondered whether a PortMaster does or can be made
to do the more complicated filtering neccesary to prevent it.
For those scoring along at home, it's not easily possible with the
RADIUS-based method I suggested, as the RADIUS server doesn't know
the dynamic IP that will be assigned until it has already accepted
the login. Oh well.
= Christopher Masto = firstname.lastname@example.org = http://www.netmonger.net/ =
= NetMonger Communications = finger for PGP key = $19.95/mo unlimited access =
= Director of Operations = (516) 221-6664 = mailto:email@example.com =
"Keep in mind that anything Kibo says makes a great sig." -- Kibo