North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Network Operators and smurf
- From: Karl Denninger
- Date: Fri Apr 24 19:01:58 1998
On Fri, Apr 24, 1998 at 06:39:28PM -0400, Dean Anderson wrote:
> At 5:53 PM -0400 4/24/98, Jay R. Ashworth wrote:
> >It's been my understanding that the knobs are in fact _not_ there,
> >Dean, but I'd be happy to be proven wrong.
> There isn't a simple knob, but then it isn't simple to know what a forgery
> is. You to have tell the router. The router doesn't know what you and
> other people "own", but you can tell it. I'd say there isn't a way to make
> a simple on/off knob for that, because there isn't any way to tell who you
> will transit for and who you won't.
> On your outbound interface(s):
> access-list 101 permit ip <yournet-1> any out
> access-list 101 permit ip <yournet-2> any out
> access-list 101 deny ip any any out
> This allows only packets sourced from your networks to be sent.
> Or, another perhaps better way is to only accept packets from your customer
> networks which are sourced from those networks. Each customer interface
> then has an inbound filter the blocks everything not sourced from your
> customers network.
Well, there is a simple knob for this:
If the Knob is turned "ON", then any packet from a source address which is
not routed to the interface it came in on is dropped.
This works for static, dynamic, and all other kinds of routing. It will
solve the problem and is trivial to implement - if any of the vendors care.
Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV
| NEW! Corporate ISDN Prices dropped by up to 50%!
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost