Automatic filtering - CISCO, you should think about this...

[Karl Denninger <karl () mcs net>]

Hi CISCO :-)

I know this isn't their list, but since most major network providers run
their stuff, this is as good a place as any to talk about this.

How about an interface keyword such as "auto-inbound-filter", which does
this:

        At STARTUP and when the LOCAL route table changes (ie: "ip route
        xxx..." statements) the system looks at the interfaces, and the 
        local static routes, and builds an accept list for that interface.
        The list is stored in a "reserved" set of system access lists.

        Add a parmaeter which can be turned on (ie: log) which would add
        "log" to the end of the filter lists, so that anyone TRYING to smurf
        will get logged

This would totally automate the process of inbound filtering to prevent or
severely limit smurf attacks.

Since filters which are based only on the source address are relatively
cheap for the router to process, this would likely not seriously burden 
anyone in their direct connections.

I'd love to see something like this, and it would reduce the complaint that
its "too hard to manage" such things.

--
-- 
Karl Denninger (karl () MCS Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly to FULL DS-3 Service
                             | NEW! K56Flex support on ALL modems
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost