Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What do you want your ISP to block today?

  • From: Jack Bates
  • Date: Sat Aug 30 12:37:29 2003

Rob Thomas wrote:

Oh, good gravy!  I have a news flash for all of you "security experts"
out there:  The Internet is not one, big, coordinated firewall with a
handy GUI, waiting for you to provide the filtering rules.  How many
of you "experts" regularly sniff OC-48 and OC-192 backbones for all
those naughty packets?  Do you really want ISPs to filter the mother
of all ports-of-pain, TCP 80?
Yes. While I hate to admit it, the one thing worse than not applying filters is applying them incorrectly. A good example would be the icmp rate limits. It's one thing to shut off icmp, or even filtering 92 byte icmp. The second one rate-limits icmp echo/reply, they just destroyed the number one network troubleshooting and performance testing tool. If it was a full block, one would say "it's filtered". Yet with rate limiting, you just see sporatic results; sometimes good, sometimes high latency, sometimes dropped.

Filter edges, and if you apply a backbone filter, apply it CORRECTLY! Rate-limiting icmp is not correctly.


-Jack





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.