Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo! Lessons Learned

  • From: Andrew Brown
  • Date: Wed Feb 09 14:40:27 2000

>> >The DoS prevention functions (not letting directed bcast in, and not letting
>> >forged addresses out) should be done at provider's side.
>> 
>> nope, won't work.  well...it might, but you also might find very irate
>> customers jumping up and down screaming about the filtering.  the
>> provider simply cannot know what is and what is not a broadcast
>> address, simply because the customer gets to set up their own
>> networks.
>> 
>> i, for one, am using what is "technically" a broadcast address as a
>> unicast address (think point to point).  others may be doing the same.
>> just because an address is an one end or another of a cidr block (or c
>> or b block), doesn't mean that it's broadcast.
>
>You're correct. Directed broadcast can only be properly identified in
>the equipment on the specific subnet. In other words, EVERYONE has to
>fix this, from end users to ISPs.

yep.

>To Vadim's main point, though, where to place protections: the answer I
>normally give to clients (whether ISPs or end users) is do it
>everywhere. There's no reason NOT to filter the egress from a corporate
>network, and then at the provider side filter the ingress from that same
>corporate network. There is plenty of router gear which can handle the
>needed filtering.

right, and there *are* things that providers *can* do in the way of
egress filtering.  for customers that are either (a) not multi-homed
or (b) not providing transit to their peers, they can do source
filtering.

>Dialup pools should also be protected. No sense in permitting problems
>to originate on a dialup modem or ISDN line. I know the Lucent/Ascend
>MAX product accepts an attribute Ascend-Source-IP-Check, which can be
>applied as a part of the RADIUS authentication. Have the large dialup
>wholesalers implemented this? 

probably not.  i'd be willing to be that a majority of the equipment
that's in use these days for providing dialup service doesn't have
that sort of capability.  one simple "cure", then, would be to place
something (a facket pilfering router) in between the dialup servers
and *their* means of internet connectivity.  a small separate lan for
your dialup pool.

>There'll be no magic cure for this issue. It will take a lot of measures
>from everyone.

yep.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.