nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMURF amplifier block list

From: Jason Lixfeld <jlixfeld () idirect ca>
Date: Wed, 27 May 1998 18:45:48 -0400 (EDT)
What would be the benefit of doing 3 AND 4?!  They both effectively do the
same thing and you can't do one if the other is being blocked.  Is their a
pro to doing both of them?

:A combination of ...
:
:1.  blocking outbound packets with sources not in your own networks
:
:2.  blocking inbound packets addressed to broadcast addresses you know
:    you have in your subnetting topology
:
:3.  blocking inbound echo_request
:
:4.  blocking outbound echo_reply
:
:... would be a good start.  It breaks things like outsiders pinging your
:network, but many find this an acceptable compromise.  I've done #1, #3
:and #4 for over 4 years.  I plan to add #2 shortly, not only at the main
:gateways, but also for all RADIUS based dialups, whether LAN or not.  I
:already block outbound packets to port 25, except allow them to my mail
:servers, for all but customers who run their own mail servers, via RADIUS,
:for purposes of blocking spam relaying.  Of course that won't stop it all,
:but it does stop most, including the naive.
:
:I have no plans to block outbound packets to addresses ending in .255.
:
:I'd love to be able to:
:
:5.  block inbound packets with sources I have no routes for
:
:6.  block inbound packets with sources that came in over an interface that
:    such a source could not route to if it were a destination
:
:-- 
:Phil Howard | blow2me7 () no4place net a6b5c4d9 () s1p0a0m4 net eat6this () noplace6 com
:  phil      | stop5it8 () spammer6 edu no9way48 () dumbads1 net blow1me9 () s0p0a9m2 edu
:    at      | suck3it2 () anywhere net crash528 () nowhere5 edu end7it11 () lame7ads com
:  milepost  | stop6ads () no1where org no59ads8 () s6p5a1m6 org ads5suck () s8p8a3m8 edu
:    dot     | no9way53 () no37ads3 net eat25me5 () s9p8a1m1 edu die8spam () spammer1 com
:  com       | eat59me0 () spammer5 org stop4181 () dumbads9 net eat2this () spammer6 net
:

--
Regards,  

Jason A. Lixfeld

Network Engineer, iDirect Network Operations

---------------------------------------------------------------------
TUCOWS Interactive Ltd. o/a  | "A Different Kind of Internet Company"
Internet Direct Canada Inc.  | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West      | http://www.torontointernetxchange.net
Suite 301, Toronto Ontario   | (416) 236-5806        (T)
M9B-1B5 CANADA               | (416) 236-5804        (F)
---------------------------------------------------------------------
jlixfeld () idirect ca          | jlixfeld () torontointernetxchange net
---------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: