Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
Pekka Savola
pekkas at netcore.fi
Thu Jun 3 06:55:11 UTC 2004
On Wed, 2 Jun 2004, Michel Py wrote:
> > Jon R. Kibler wrote:
> > IMHO, there is absolutely no excuse for not doing ingress and
> > egress filtering. In fact, if you are an ISP, I would argue
> > that you are negligent in your fiduciary responsibilities to
> > your customers and shareholders if you are not filtering
> > source IP addresses.
>
> Hey, I'm all for it. Where's the money and the staff?
set routing-options forwarding-table unicast-reverse-path feasible-paths
set interfaces yy-x/x/x unit 0 family inet rpf-check
What else do you need?
Or did you buy crap that doesn't support (good) uRPF, or even doesn't
support (line-rate) filtering? Change the vendors and filter at your
core connecting those crappy boxes then.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list