NSPs and filters

• Previous message (by thread): NSPs and filters
• Next message (by thread): NSPs and filters
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 11 Jul 1997, Jon Lewis wrote:
 
> Why is it that the NSPs I've encountered refuse to do any sort of sanity
> filtering on their customer connections?  i.e. If UUNet knows that FDT has
> only 205.229.48/20 and 208.215.0/20, why should they let me send traffic
> through their network with random source addresses?
>
> FDT has been the target of forged source address UDP attacks for the past
> 2 days.  It's all being stopped at our router that takes our UUNet T1, but
> the extra T1 traffic is causing UUNet's usually unreliable network to be
> even less reliable, and we've lost connectivity to UUNet several times
> this evening.

Its not feasible to filter packets on customer gateway routers.  When you
impose a packet filter on a GW router customer interface, all packets  
destined to that customer have to be matched to an access-list and then
forwarded down the pipe or dropped.  This increases the load on the  
router CPU, because it is used to switching the packets.  Now you have to
analyze each packet which takes up CPU time.

This is not a nice thing to do to a router, especially while the router is
trying to keep up with 50 other customers...  And if more than 1 customer
wants this type of service, you start really feeling the load.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
      ice9 at paranoia.com      http://www.paranoia.com/~ice9
My opinion may not reflect that of any living person, but its the 
only one that counts!!
                      main() {for(;;fork());}
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

• Previous message (by thread): NSPs and filters
• Next message (by thread): NSPs and filters
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]