Re: ISP Filtering (Survey of Sorts)

["Christian Schwalm" <schwalm () informatik uni-hannover de>]

Hi everyone !

> T1 and up providers dont get their hands dirty with client specific router
> configuration for the same reasons that consultants get paid Big
> Money: it requires a lot of work and generally speaking, an ongoing degree
> of effort.

I just have to throw in a personal experience here:

Some days ago a friend of mine was target of a (still possible)
smurf attack. His logs showed a large number of ICMP echo replies
from hosts we found out were in subnets with open broadcasts.

The 2mbit uplink provided by the "Deutsche Telekom" was rendered
useless by this attack. Blocking them in his routers was not an
option because all he had access to was behind the 2mbit line.

My 2 advices were:

* Wait until its over. (That was not an option for him because the company
  he worked for needed the uplink badly.)

* Ask your provider to temporarily block all ICMP´s in a backbone router
  or something a little higher in the food chain.

Everyone with knowledge about the size of "Deutsche Telekom" and the
relative meaning of this 2mbit to them might think: spend the 50 cents
of that phonecall somewhere else - its better invested. But after 2 calls
there was a ticket opened and 3 hours later the DoS stopped because the
ICMP´s were blocked, with the DT effectively taking over the traffic costs.

I had similar experiences with ECRC/Cable&Wireless while I was working for
an internet startup.

So i think: Evene huge ISP´s can act quickly if you

  a) ask politely
  b) deliver logs making them understand that you are not "hunting ghosts"
  c) make it clear, that this is very important for you

cheers,
Chrissi

--
Christian "eldoc" Schwalm
schwalm () informatik uni-hannover de