Land and Cisco question

Sean Donelan SEAN at SDG.DRA.COM
Mon Nov 24 09:34:34 UTC 1997


>I'm sorry - but the Right Thing (tm) to do is to
>ingress filter, as I have already evangelized.
>
>Like it or not.

Paul is correct.  Various vendors will update their systems to handle
this packet of death, but someone will discover another packet of death.
Anti-spoofing filters don't prevent them, but they do act as fire stops to
slow their spread.  Topology may prevent you from creating perfect screens,
but even with the 80/20 rule, anti-spoofing would impede many DOS
attacks; or speed up the tracking of the source.  Just because there
are good reasons for not doing it in the 20%, you should still try to
do it for the 80% it would help.

Single-homed networks, even broad networks like MCI's backbone, rarely
have legitimate packets with their source address originated by hosts
not directly on those networks and routed through parts unknown.  As an
added bonus, anti-spoofing filters also block several cases of people
pointing default at your network.  Think about it.
-- 
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
  Affiliation given for identification not representation



More information about the NANOG mailing list