SYN floods continueg
Avi Freedman
freedman at netaxs.com
Wed Sep 11 20:30:30 UTC 1996
I was talking about a different filter.
The one I listed was designed to prohibit someone at an exchange point
from using our network for transit.
I agree, you'd want to do what you describe to prevent IP spoofing.
Avi
> >>>>> "Avi" == Avi Freedman <freedman at netaxs.com> writes:
>
> Avi> This is actually an incoming filter...
> Avi> acc 102 permit ip any 198.138.103.0 0.0.0.255
>
> Ummmm.... disclaimer, I'm not an expert on this, but according to my
> understanding of how Cisco access lists work, the incoming filter you
> showed actually does nothing at all. The normal situation is that
> packets are coming in from random addresses, destined for your
> internal network. There is nothing in this filter that prevents your
> own source addresses from being spoofed outside your border.
>
> It seems to me that you want something more like this, which is what
> we have in place:
>
> acc 102 deny ip 198.138.103.0 0.0.0.255 any
> ...
> acc 102 permit any any
>
> It seems to work for us. Please let me know if I'm missing something here!
>
> --
> Bruce Robertson, President/CEO
> Great Basin Internet Services, Inc.
> +1-702-348-7299 fax: +1-702-348-9412
>
More information about the NANOG
mailing list