North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: FW: Re: Is there a line of defense against Distributed Reflectiveattacks?
- From: Christopher L. Morrow
- Date: Mon Jan 20 11:27:05 2003
On Sun, 19 Jan 2003, Avleen Vig wrote:
> On Sun, 19 Jan 2003, Christopher L. Morrow wrote:
> > > you could partly get around this by blocking all 'SYN' packets going to
> > > your customers :-)
> > and we are hoping none are hosting webservers or mail servers or....
> > right? Oh wait! I'll just make them use my datacenters, right?? or were
> > you not talking about the attacks?
> I was refering specifically to end user workstations. For example home
> machines on dial up or broadband connections.
> A lot of broadband providers already prohibit running servers and block
> certain inbound ports (eg 21 and 80).
> *shrug* just seems like it would make more sense to block all incoming
> 'syn' packets.
Doesn't this stop kazaa/morpheus/gnutella/FTP/<some aim stuff like private
chats>? This is a problematic setup, and woudl require the cable modem
provider to maintain a quickly changing 'firewall' :( I understand the
want to do it, but I'm not sure its practical to see it happen based
solely on the hassle factor :( Hmm, security, "you gotta pay to play"
(Some famous man once said that I believe)
> Wouldn't that be faster than inspecting the destination port against two
> seperate rules?
> I don't know how these operators do their blocking..