Re: Things to do to make the network better

["Perry E. Metzger" <perry () piermont com>]

Owen DeLong writes:
> > I will also point out that many of the recent "smurf" attacks and
> > similar problems people are having on the net would be gone if people
> > would just carefully filter internal/external addresses on their
> > border machines, that is, prevent packets claiming to be from "inside"
> > networks from coming in from the "outside", and prevent packets
> > claiming to be from "outside" networks from going out from the
> > "inside". The latter will stop your network from *ever* being the
> > source of a wide variety of packet forgery attacks, and is necessary
> > to being a good network citizen. The former will stop your network
> > from being the subject of a wide variety fo packet forgery attacks,
> > and is necessary to make your customers even remotely safe on the net.
>
> That's great if you're a downstream provider with no transit customers.
> However, when you become a transit provider,

OF COURSE this is mainly a "leaf network" thing, not a thing for
transit networks.

Large providers serving "leaf networks" with well defined connection
points to them *can* do some filtering -- in particular, they can
refuse to pass packets to a network claiming to originate from within
it, and they can refuse to accept packets from a network claiming not
to come from within it. That is not, of course, the true transit
network case.

Extensive filtering *will* reduce the denial of service attacks of
this sort we are getting. They can never eliminate them, but they
*will* help. I cannot urge strongly enough that people start
implementing this sort of filtering as soon as possible.

Perry