nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISP port blocking practice

From: William Herrin <bill () herrin us>
Date: Fri, 3 Sep 2010 11:23:00 -0400
On Thu, Sep 2, 2010 at 11:04 PM, Daniel Senie <dts () senie com> wrote:

Ingress filtering is the correct tool for the job.


Not really. Ingress filtering only ever protected you from being the
source of spooding attacks, not the destination. The point of Zhiyun's
results is that it doesn't fully protect you from being the source
either.

Frankly, Zhiyun offers the first truly rational case I've personally
seen for packet filtering based on the TCP source port. You should
give his work more careful scrutiny.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside comĀ  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
Previous By Date Next
Previous By Thread Next

Current thread: