nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SYN spoofing

From: "Ron Buchalski" <rbuchals () hotmail com>
Date: Tue, 03 Aug 1999 08:33:59 PDT


From: Randy Bush <randy () psg com>
To: Joe Shaw <jshaw () insync net>
CC: John Fraizer <John.Fraizer () EnterZone Net>,Dan Hollis <goemon () sasami anime net>, bandregg () redhat com,nanog () merit edu 
Subject: Re: SYN spoofing
Date: Mon, 2 Aug 1999 17:09:55 +0200 (CEST)


> How hard is it really to put a filter on your outbound links that says
> drop all ip traffic heading out these links that isn't from my IP space?

trivial.  only one gotcha.  if it is a backbone router, it will fall over
dead.  beyond that, not a problem.

backbone level traffic can not be packet filtered by current real routers.
but we've had this discussion a few times already.

randy
Which is why it's more scaleable to do packet filtering at the edge, and leave the core to do what it does best...switch packets. 

-rb


_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
Previous By Date Next
Previous By Thread Next

Current thread: