Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

  • From: Jeff Workman
  • Date: Mon Jan 20 17:51:23 2003

Stoned koalas drooled eucalyptus spit in awe as Avleen Vig exclaimed:

Doesn't this stop kazaa/morpheus/gnutella/FTP/<some aim stuff like
private chats>? This is a problematic setup, and woudl require the cable
modem provider to maintain a quickly changing 'firewall' :( I understand
the want to do it, but I'm not sure its practical to see it happen based
solely on the hassle factor :( Hmm, security, "you gotta pay to play"
(Some famous man once said that I believe)
Indeed it does break that. P2P clients: Mostly transfer illegal content.
As much as a lot of people love using these, I'm sure most realise they're
on borrowed time in their current state.
And it's your job as a network provider to determine the legality of your users' activities? Plus, you said the magic word "mostly" What about legit uses of P2P networks? Do you also stop your users from using NNTP as well, since it's "mostly" used for porn and warez? How about email? since, from the looks of my mail logs, SMTP traffic is "mostly" spam and sircam. :)

I'm sure your users would certainly pack up and take their business elsewhere if you placed these restrictions on them. Why not just put them all behind a firewall on RFC-1918 addresses, if you are going to block all incoming SYNs?

And I'm sure that if they were gone tomorrow, I'm sure they'd be back in
another fashion soon.
Any true P2P system is going to need at least one end user to receive a SYN.

Ftp/HTTP etc I believe most cable providers currently block these anyway
I also believe this is usually stated in their TOS that they're not allowed to run services on their home computers. If I'm on IRC and I initiate an outgoing DCC chat, the open port on my box awaiting the connection is hardly a "service."

There's a chance it'd break things like file transfers on IM clients but
I'm sure they'd be altered too.
Unless I'm missing something, wouldn't it be necessary to modify both the clients and the servers to pass all FT traffic through the servers? I'm sure those who sell bandwidth to AOL and Yahoo would love it if they did that, but I don't see it happening.


Jeff Workman | |

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.