North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Yahoo! Lessons Learned
- From: Jared Mauch
- Date: Wed Feb 09 15:50:22 2000
On Wed, Feb 09, 2000 at 12:20:22PM -0800, Dan Hollis wrote:
> On Wed, 9 Feb 2000, Daniel Senie wrote:
> > I don't buy this. The wholesalers are allowing (requiring?) filters be
> > added to block port 25 to all but the retail ISP's mail servers.
> I dont buy it either, but when youre not their customer they dont have
> much incentive to lift a finger to stop denial of service attacks.
> Its also the excuse they gave me why they couldnt be bothered to disable
> directed broadcasts, by the way. "We dont have enough cpu to filter them".
This is a total shield these days if anyone claims that.
they either don't know how to manage their equipment, or have
other serious issues.
The only exceptions would be people who are entireley at
the OCn speed, and then it gets more dificult to filter.
Everyone comes down to at least 100M/sec (i guess, unless they're
talking gig e) and more likeley down to 45M or 10M at some point.
It's not that dificult to filter traffic. The problem becomes
deploying it in an existing infrastructure. You don't want to break
your existing customers.
That's why it can sometimes take a few days to shut down an open
relay. You have to determine who is allowed to use it and who is not.
There is no excuse for directed broadcasts these days though.
> I think all the tier1 networks need to seriously clean out the complacent
> dead wood and dust off the clue by four.
I agree, but I also understand that the job is not quite as simple
as you state. I'm sure it would take a group of people a day or two
to just do a single POP at a large provider. Many people would be easy to
take care of because they have a single t1 or something, but
once you're multihomed things become extremeley painful.
My rule of thumb is that if you're not speaking bgp though,
you can source filter easily, using the existing cisco knobs. (with your
customer that is).
I recommend that the contracts that the tier 1 providers write
require that the people who they provide access to run a secure network,
and list a 'security contact' before they will turn on services. it's
Jared Mauch | pgp key available via finger from firstname.lastname@example.org
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
END OF LINE |