Things to do to make the network better

Perry E. Metzger perry at piermont.com
Wed Dec 31 16:14:37 UTC 1997


John R. Levine writes:
> And since we're on this topic, at NANOG in Scottsdale we suggested
> that ISPs firewall in their users so the only port 25 connections they
> can make are to the ISP's own SMTP server, so the ISP can stamp
> outgoing mail with the actual sender ID and possibly do volume
> monitoring and choking.  (You could either block connections or other
> systems, or warp them to your own servers, and you'd need provision
> for exceptions for people who send in a signed AUP, etc.)  How far is
> that from being feasible for POP farm customers?

It is pretty easy to filter port 25 connections from the ranges in
question.

I will also point out that many of the recent "smurf" attacks and
similar problems people are having on the net would be gone if people
would just carefully filter internal/external addresses on their
border machines, that is, prevent packets claiming to be from "inside"
networks from coming in from the "outside", and prevent packets
claiming to be from "outside" networks from going out from the
"inside". The latter will stop your network from *ever* being the
source of a wide variety of packet forgery attacks, and is necessary
to being a good network citizen. The former will stop your network
from being the subject of a wide variety fo packet forgery attacks,
and is necessary to make your customers even remotely safe on the net.

I've been thinking of surveying randomly selected networks to see how
many people are actually taking these (critical and necessary) steps.

Perry



More information about the NANOG mailing list