SYN floods (was: does history repeat itself?)

• Previous message (by thread): SYN floods (was: does history repeat itself?)
• Next message (by thread): SYN floods (was: does history repeat itself?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 04:37 AM 9/13/96 -0400, Alexis Rosen wrote:
>Alex.Bligh writes:

>> I think you are talking about filtering inbound packets to your
>> router and restricting them to BGP announcements (I don't
>> think Avi was - see below). This would be done on the destination
>> address (checking it was within your announced route set) and
>> thus doesn't help protect against spoofed source addresses.
>
>No, Justin's talking about filtering _customers'_ packets at Justin's
>border with the customer. No BGP involved. This assumes customers that
>are not providers (ie, no transit for other nets through the customer).
>Good enough if all providers do the right thing (or if almost all do).
>
>What Justin meant about his BGP announcements was that a customer's
>packet is legal IFF Justin's announcing that packet's net by BGP (on
>_behalf_ of the customer, not _to_ the customer). Again, customer means
>a site that's not a BGP peer.

Actually what Justin was talking about is as follows...

Justin will only allow packets out of his border routers /to/ peers if they
are packets with a source address inside the ranges of addresses he
announces via BGP.  I.e. if I announce 192.1.1.0 0.0.0.255 I would allow a
packet with an address of 192.1.1.1 out of my network into "the net at
large" but not if the packets source address was 192.1.2.1.  I will allow
any packet which I allow to enter my network into a customer's network.
Their filtering is their problem.  

Justin Newton
Internet Architect
Erol's Internet Services

• Previous message (by thread): SYN floods (was: does history repeat itself?)
• Next message (by thread): SYN floods (was: does history repeat itself?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]