Re: ingress filtering

[Brian Horvitz <horvitz () shore net>]

I have the luxury of being able to filter for source address at my ingress
points on only two routers.  That makes it relatively easy to do.  I find
a surprising number of packets with source addresses from inside my
network or from the private IP space.

  Brian

On Thu, 28 May 1998, Mr. Dana Hudes wrote:

> Who *does* do ingress filtering? I have it on our border routers
> and customer connect ports. We have transit from MCI and UUNET.
> Neither has ingress filters -- see below message from MCI on
> this.
> The result of course is that spammers and other bad guys can try
> to attack your systems with forged source IP addresses.
> Random strange people in the 'net send "NETBIOS name service"
> (port 137) packets to my unix mail relay, which of course ignores
> them.
> Other such fun things continue to be seen in the logs.
>
>
> Subject: Re: RFC1918 addresses from MCI
>    Date: Thu, 28 May 1998 08:16:23 -0700
>    From: security () mci net
>       To: dhudes () graphnet com
>      CC: security () mci net
>
> Mr. Hudes,
>
>
> Thank you for your note.  MCI does not currently source filter
> address
> space at it's ingress points.  Addresses sourced from
> non-routable or
> invalid addresses are not blocked or filtered.  Addresses
> destined to
> non-routable addresses spaced are not routed.
>
> If you think it is a security issue and it is on-going then
> please
> contact us with the target address so we can investigate.
>
>
> Regards,
>
>
> -Julian Min