On Tue, 19 Feb 2002 09:50:39 EST, Security Coordinator <securityat_private> said: > would be hard for them to know, but then why is it we see so many spoofed > packets around? There should be ZERO of them on the net. Every router knows > what addresses to expect to be inside vs outside. > > I won't belabour the point, but YES, you should not just report it to the > ISP, you should let everyone know where attacks come from. What we REALLY > need is a database and system good enough to understand the topology of the > net and processes attack reports in a sophisticated enough way that we can > say things like "if this router was filtering like thus, this would be > impossible" and if an ISP won't configure their equipment properly, then they > can be held liable. You know that, I know that - we put the lack of martian-packet filtering in the SANS ddos document, it's mentioned in the SANS Top10, and in the Top20. I put it into the white paper that got used as the basis for the Center for Internet Security benchmarks. It's hardly news. And RFC1918 says those address spaces are *not* for public use - but if you go over to the NANOG list and suggest that ISPs filter *RFC1918* packets that come out of customer sites (or quit numbering their router point-to-point links out of 1918 space, which hoses Path MTU discovery when our border routers correctly reject their 1918-sourced ICMP packets), you will surely start a flame-fest. I'm afraid you're right - the only way those ISPs will change their attitude is if one gets sued for contributory negligence for not filtering. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 12:13:48 PST