ingress filtering

John Fraizer John.Fraizer at EnterZone.Net
Thu May 28 18:32:48 UTC 1998


At 01:28 PM 5/28/98 -0400, you wrote:
>Who *does* do ingress filtering? I have it on our border routers
>and customer connect ports. We have transit from MCI and UUNET.
>Neither has ingress filters -- see below message from MCI on
>this.

We do ingress and egress filtering.  It's just a matter of keeping people
on both sides of the border router from spoofing either by mistake or
maliciously.

>The result of course is that spammers and other bad guys can try
>to attack your systems with forged source IP addresses.
>Random strange people in the 'net send "NETBIOS name service"
>(port 137) packets to my unix mail relay, which of course ignores
>them.


The NETBIOS name service comes from Winblows machines.  I would venture to
guess that your mailserver also has a resolver running that is also most
likely authoritative for your or someones domain.  Either that or you are
specifying that resolver via radius to your dialup clients.

When a Winblows box does a DNS lookup, for some reason, it will also send a
NETBIOS name service request thinking that there is a WINS resolver living
at the same IP.  It's just another example of MS doing very strange things.
(Read: They don't know $h!t about IP and show it regularly!)

The dialup provider that these requests is originating should be filtering
port 137 on egress to prevent it from making it to the global internet.
Then again, we should all be egress and ingress filtering, filtering ICMP
to our broadcast and network addresses and sending money to our favorite
charity too.  No matter how much we harp, there will be idiots with the
keys to the router cabinets who just won't do the right thing.



-------
John Fraizer    (root)          |    __   _                 |
The System Administrator        |   / /  (_)__  __ ____  __ | The choice
mailto:root at EnterZone.Net       |  / /__/ / _ \/ // /\ \/ / |  of a GNU
http://www.EnterZone.Net/       | /____/_/_//_/\_,_/ /_/\_\ | Generation
                     A 486 is a terrible thing to waste...




More information about the NANOG mailing list