nanog mailing list archives
Re: What do you want your ISP to block today?
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Sat, 30 Aug 2003 10:28:11 +0200
On zaterdag, aug 30, 2003, at 09:54 Europe/Amsterdam, Ray Wong wrote:
What would be great though is a system where there is an automatic check to see if there is any return traffic for what a customer sends out. If someone keeps sending traffic to the same destination without anything coming back, 99% chance that this is a denial of service
Eh? Have you ever run a mailing list?
No, haven't had the pleasure.
The majority of subscribers NEVER post. Those who do, post prior to the large quantity of traffic originates.
So? SMTP uses TCP, TCP generates incoming ACKs for outgoing data, so no problems there.
Christopher L. Morrow's mention of asymmetric routing for multihomed customers is more to the point, but if we can solve this for all those single homed dial, cable and ADSL end-users and not for multihomed networks, I'll be very happy.
attack. If someone sends traffic to very many destinations and in more than 50 or 75 % of the cases nothing comes back or just an ICMP port unreachable or TCP RST, 99% chance that this is a scan of some sort.
Sure, and I scan my systems from outside all the time. I'm looking for validation that my system has NOT started listening on ports I don't run services on. It's called external monitoring, and is rather useful in letting me get a good night's sleep.
So which do you prefer: nobody gets to scan your systems from the outside (including you) or everyone gets to scan your systems from the outside (including you).
but I'd still need a way to verify my sites can be reached from other places.
They have something for that now. It's called "ping".
If you want to know how TCP is working to a destination, you have to use TCP to test it.
As I mentioned above: this will not impact TCP at all because TCP generates return traffic. I'm sure there are one or two UDP applications out there that don't generate return traffic, but I don't know any. The only problem (except asymmetric routing when multihomed) would be tunnels, but you can simply enable RIP or something else on the tunnel to make sure it's used in both directions. Multicast doesn't generate return traffic so this would only apply to unicast destinations.
Scans by themselves certainly aren't inherently dangerous.
It should be possible to have a host generate special "return traffic" that makes sure that stuff that would otherwise be blocked is allowed through.
Current thread:
- Re: What do you want your ISP to block today?, (continued)
- Re: What do you want your ISP to block today? Ray Wong (Aug 30)
- Re: What do you want your ISP to block today? Joe Abley (Aug 30)
- Re: What do you want your ISP to block today? Matthew S. Hallacy (Aug 30)
- Re: What do you want your ISP to block today? Owen DeLong (Aug 30)
- Re: What do you want your ISP to block today? Paul Vixie (Aug 31)
- Message not available
- Re: What do you want your ISP to block today? Matthew S. Hallacy (Aug 30)
- Re: What do you want your ISP to block today? Iljitsch van Beijnum (Aug 29)
- Re: What do you want your ISP to block today? Christopher L. Morrow (Aug 29)
- Re: What do you want your ISP to block today? Rob Thomas (Aug 30)
- Re: What do you want your ISP to block today? Ray Wong (Aug 30)
- Re: What do you want your ISP to block today? Iljitsch van Beijnum (Aug 30)
- Re: What do you want your ISP to block today? Ray (Aug 30)
- Re: What do you want your ISP to block today? Iljitsch van Beijnum (Aug 30)
- Re: What do you want your ISP to block today? Owen DeLong (Aug 30)
- Re: What do you want your ISP to block today? Iljitsch van Beijnum (Aug 30)
- Re: What do you want your ISP to block today? Owen DeLong (Aug 30)
- Re: What do you want your ISP to block today? Ian Mason (Aug 30)
- Re: What do you want your ISP to block today? Gerardo Gregory (Aug 30)
- RE: What do you want your ISP to block today? Mark Borchers (Aug 30)
- Re: What do you want your ISP to block today? Gerardo Gregory (Aug 30)
- RE: What do you want your ISP to block today? Owen DeLong (Aug 31)