Hello all, On Tue, 15 Feb 2000, Darren Reed wrote: > It's good to see that ISP's around the world prefer to have $$ in the bank > rather than a secure Internet. Little wonder that hacking is so prevalent. I'd like to add that we (as a rather small german ISP) filter source addresses too, at least on most ports. I cannot count the number of refused packets per day, but it seems that source address filtering does _not_ lead into heavy processor load, even on relatively underpowered Cisco 4000 (not 4500 or 4700) routers. The reason is perhaps that people stop their attacks as soon they notice or at least guess that not a single packet reaches the target host. I do understand that filtering is not possible on DS3 or STM1 or even faster lines without overloading routers. But, if you filter near to source, ie. on the probably many different ports _behind_ the STM1, there is no need for filtering on high speed interfaces. Best regards, Andreas Busse -- IVM Gesellschaft fuer Internet, Vernetzung und Mehrwertdienste mbH Zissener Strasse 8 - D-53498 Waldorf - Fon 02636-9769-0 Fax 02636-9769-999 - http://www.ivm.net/ - infoat_private Internet/Intranet Services, Consulting und Netzwerkloesungen
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:25 PDT