On Sun, 13 Feb 2000, Darren Reed wrote: > In some mail from Elias Levy, sie said: > [...] > > Network Ingress Filtering: > > -------------------------- > > > > All network access providers should implement network ingress filtering > > to stop any of their downstream networks from injecting packets with > > faked or "spoofed" addressed into the Internet. > > > > Although this does not stop an attack from occurring it does make it > > much easier to track down the source of the attack and terminate it > > quickly. > > > > For information on network ingress filtering read RFC 2267: > > http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt > > You know if anyone was of a mind to find someone at fault over this, > I'd start pointing the finger at ISP's who haven't been doing this > due to "performance reasons". They've had the ability to do it for > years and in doing so would seriously reduce the number and possibility > of "spoofing" attacks. Well, I worked at such ISP. The issue was really simple: given the choice between: putting a Cisco 25xx for $x000 and hope that we can deal with the problem when/if the customers start misbehaving, or putting a Cisco 47xx for $x0000, and possibly never experience the problem, but having spent awful lot of money the decision to select the former had its firm economic ground, don't you think? Andrzej Bialecki // <abialat_private> WebGiro AB, Sweden (http://www.webgiro.com) // ------------------------------------------------------------------- // ------ FreeBSD: The Power to Serve. http://www.freebsd.org -------- // --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:52 PDT