SYN spoofing
Wayne Bouchard
web at typo.org
Wed Jul 28 18:09:10 UTC 1999
Right, but ISPs can still filter on the corporate networks and at the
aggregation points for DSL and dial and any non-bgp customer. Those
talking BGP to you should be encouraged to do similarly. The full
thing is like next to impossible to maintain but doing these kinds of
relatively stady-state bits and pieces can help.
> On Wed, 28 Jul 1999, Greg A. Woods wrote:
>
> >
> > [ On Wednesday, July 28, 1999 at 11:21:35 (-0400), Daniel Senie wrote: ]
> > > Subject: Re: SYN spoofing
>
> > In fact it's easy to buy off-the-shelf hardware today that can do
> > wire-speed filtering, assuming one has worked such costs into the budget
> > of building a network backbone....
>
> It is possible to do access filtering on the edges. Then comes the
> operational aspects of actually making such a thing scale across many many
> edge devices, especially when there are customers with their own space,
> and who may have customers behind them with _their_ own space. If a
> promising local isp is providing transit to a bunch of other local isps,
> changing every access-list on every edge node every time one of the
> customer isp's adds or deletes a customer, becomes a logistical nightmare.
>
> Some promising local isp's are then faced with blowing out huge
> access-lists virtually every hour of the day, and this becomes harder to
> manage when you take into accounts and now you have several tens of
> promising local isps all trying to match access-lists all around. Not to
> mention the actual physical limits on current hardware regarding the size
> of configurations.
>
>
> /vijay
>
>
>
>
----------------------------------------------------------------------
Wayne Bouchard Frontier GlobalCenter
web at globalcenter.net
Network Engineer
(602) 416-6290 800-373-2499 x6290
FAX: (602) 416-6111 http://www.globalcenter.net
----------------------------------------------------------------------
More information about the NANOG
mailing list