nanog mailing list archives
Re: On the back of other 'security' posts....
From: Scott Francis <darkuncle () darkuncle net>
Date: Wed, 3 Sep 2003 14:07:43 -0700
On Sun, Aug 31, 2003 at 02:34:28PM -0700, owen () delong com said: [snip]
What you are saying works only so long as none of your edge connections represent a significant portion of the internet. How do you anti-spoof, for example, a peering link with SPRINT or UUNET? It's not realistic to think that you know which addresses could or could not legitimately come from them.
another poster wrote that the spoofed traffic he was seeing was coming from 0.0.0.4 - 40.0.0.0 in .4 increments ... simple bogon filtering would get rid of a good chunk of that space. Granted, it's a small subset of anti-spoof filtering, but there are still networks out there that don't even make _that_ best effort. If folks would simply make the best effort they could, given their situation, the Internet as a whole would be a dramatically nicer place. That best effort will vary greatly by situation, but even a partial attempt is better than none at all. -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui
Attachment:
_bin
Description:
Current thread:
- RE: On the back of other 'security' posts.... Terry Baranski (Sep 01)
- RE: On the back of other 'security' posts.... Daniel Senie (Sep 01)
- Re: On the back of other 'security' posts.... Paul Vixie (Sep 01)
- Re: On the back of other 'security' posts.... Iljitsch van Beijnum (Sep 02)
- <Possible follow-ups>
- Re: On the back of other 'security' posts.... Scott Francis (Sep 03)