Implementing anti-abuse techniques on ISP networks....

Christopher Masto chris at
Thu Aug 7 18:57:23 UTC 1997

On Thu, Aug 07, 1997 at 09:42:35AM -0700, Michael Dillon wrote:
> >Operational question: will a Livingston Portmaster allow source IP
> >spoofing?
> I presume that's the reason why people posted the Livingston filter rules
> at
> There are other links regarding this topic in the "Security" section at
> Encourage your customers to implement these filters and encourage your ISP
> customers to get their customers to implement these filters...

I guess people don't read these threads very carefully.

Initally, someone said that ISPs should prevent their dial-up
customers from getting to port 25 on any machine other than the ISP's
mail server.

I said that, _aside from filtering spoofed IPs_ we don't do any
blocking, and I don't think we should.

Someone then gave the example of spoofing another IP on the ISP's
network.  This is not blocked by standard anti-spoofing rules, since
the fake source IP is inside the network it's coming from.

I clarified that this doesn't have anything to do with the port 25
question, and wondered whether a PortMaster does or can be made
to do the more complicated filtering neccesary to prevent it.

For those scoring along at home, it's not easily possible with the
RADIUS-based method I suggested, as the RADIUS server doesn't know
the dynamic IP that will be assigned until it has already accepted
the login.  Oh well.
= Christopher Masto        = chris at =  =
= NetMonger Communications = finger for  PGP key = $19.95/mo unlimited access =
= Director of Operations   =   (516)  221-6664 	 = mailto:info at  =

v---(cut here)---v
    yourname at
    "Keep in mind that anything Kibo says makes a great sig."  -- Kibo
^---(cut here)---^

More information about the NANOG mailing list