Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Valdis.Kletnieksat_private
Date: Mon Feb 03 2003 - 11:04:52 PST

Next message: zmajd fully: "Re: Packet from port 80 with spoofed microsoft.com ip"

Previous message: Hamid: "DoS Attacks, Detecting the Source, and Service Providers"
In reply to: Joel Tyson: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtysonat_private>  said:

> The best way to handle these types of packets would be to route them to a
> null0 interface.  This way the packets will be dropped without icmp response.
> Typically all ISP should have these ACL's configured on their border routers;
> but they don't.  

There's not much financial incentive for many ISPs to filter - when you're
billing based on traffic volume, you don't really want all those probes to
go away.  So what if 20% of the traffic is probes?  That's 20% more income
for the provider, and many providers are in a financial crunch - that 20%
may be all that's keeping them afloat.  As long as they don't get burned by
an SQL worm that takes out their infrastructure too, why should the filter?

/Valdis (who is having a more-cynical-than-usual day)

application/pgp-signature attachment: stored

Next message: zmajd fully: "Re: Packet from port 80 with spoofed microsoft.com ip"
Previous message: Hamid: "DoS Attacks, Detecting the Source, and Service Providers"
In reply to: Joel Tyson: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 10:34:25 PST