nanog mailing list archives
Re: New Denial of Service Attack on Panix
From: Tim Bass <bass () cactus silkroad com>
Date: Sat, 21 Sep 1996 16:21:44 -0400 (EDT)
Hi Vadim! You are absolutely correct in your 'red flag' that source route filtering does not solve 'all the worlds ip-spoofing security problems', and a great deal of work needs to be done. On the other hand, if all end-user providers at least filter to help guarantee that only valid customer source addresses come from their sphere of influence, these type of denial-of-service attacks would be easier to trace, track, and plug, when necessary. You know how these types of issues are mitigated; one-step-at-a-time. The source route filtering from end-user providers needs to happen, just as ISPs used to demand new providers BGP 'in the old days'. It is not too difficult for higher tier providers to 'sniff and audit' to discover the 'non-compliant' providers, or to set up a mechanism to verify this automatically. One step at a time. Certainly, it is in the best interest of the performance of the Big I to have the filter lists as far down the routing tier as possible and to keep the higher level transit nets as 'filter clean as possible' (filtering 101) This sounds like a gloomly and extremely difficult task; and the reality is, that there is no 100 percent solution, but maybe .95 is achieveable in the short term? .98? Large transit carriers must 'say no' to mid-level providers that refuse to aggressively insure that filtering their customers take place, and this, in itself, is a very difficult to enforce task. Best Regards, Tim PS: Vadim! ......... The East coast is not the same without seeing you in the bookstores and computer stores from time to time. - - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack on Panix, (continued)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 21)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 21)
- Re: New Denial of Service Attack on Panix Peter Dawe (Sep 22)
- Re: New Denial of Service Attack on Panix Brian Carpenter CERN-CN (Sep 22)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 23)
- Re: New Denial of Service Attack on Panix Edgar Der-Danieliantz (Sep 23)
- Re: New Denial of Service Attack on Panix Peter Dawe (Sep 23)
- RE: New Denial of Service Attack on Panix Jim Fleming (Sep 21)
- Re: New Denial of Service Attack on Panix Vadim Antonov (Sep 21)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 21)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 21)
- Re: New Denial of Service Attack on Panix Mr. Jeremy Hall (Sep 21)
- Re: New Denial of Service Attack on Panix Jeffrey Burgan (Sep 22)
- Re: New Denial of Service Attack on Panix Dima Volodin (Sep 22)
- Re: New Denial of Service Attack on Panix Matthew Kaufman (Sep 21)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 21)
- Re: New Denial of Service Attack on Panix Paul Ferguson (Sep 22)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 23)