Re: Ping flood? Whats the point?

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

On Wed, 9 Feb 2000 16:41:42 +1300 Kerry Baker
<k.baker () cantva canterbury ac nz> wrote:

> > -----Original Message-----
> > From: Filip M. Gieszczykiewicz [mailto:filipg () corona eps pitt edu]
> > Sent: Wednesday, 9 February 2000 14:45
> > To: Kerry Baker
> > Cc: INCIDENTS () SECURITYFOCUS COM
> > Subject: Re: Ping flood? Whats the point?
>
> > So, do YOU filter output at your firewall? And if not, how ELSE can such
> > spoofs be prevented (if one assumes you have no access to equipment
> > upstream of your LAN)
>
> Yes we do.  Only valid source IP addresses from within our network are
> allowed out and we don't allow packets with source addresses that are ours
> in.  We also block the IANA private network addresses from entering our
> network too.  Those things seem to leak out all over the Internet.
> I doubt our upstream provider does the same due to the large number of
> networks under their wing, but they could if they wanted to and it would
> provide another layer of protection against spoofing.

Most modern routers allow both ingress and outgress filtering so even
if you don't have a full firewall (like us) or a traditional DMZ (which
we do) you should filter such traffic on your boundary router. We have
done this for over ten years, ever since we have been connected to the
net and like Kerry I am surprised that this isn't standard practice.

Russell.