dsl providers that will route /24
John Fraizer
nanog at Overkill.EnterZone.Net
Fri Mar 30 11:27:20 UTC 2001
On Fri, 30 Mar 2001, David Schwartz wrote:
>
> I'm going to keep this really simple and go really slow so
> there's no chance of a misunderstanding.
>
> You have a customer A. He has two customers, B and C. Your
> filter allows A, B, and C's assigned addresses as source addressees on
> the link to/from customer A.
>
> Your customer A, receives a packet from customer B with a source
> address assigned to customer C. Your filter allows it even though it's
> spoofed. You know why that is? Because your filter can't tell a
> spoofed packet from an unspoofed packet.
>
Um... Check this out. Customer B should be filtering TOO! They know what
addresses they're assigned!!!!!!!
> Customer B dials up to another ISP. He gets an IP address. He
> sends a packet sourced with that IP address to your customer A who
> forwards it to you. It's not spoofed, but your filter blocks it. Do
> you know why that is? Because your filter can't tell a spoofed packet
> from an unspoofed packet.
Yes it is spoofed. If we're not announcing a route to it and and it's
originating from our network (customer or not) it's SPOOFED! I don't care
what you say. No inbound route equals no outbound route. Sure, in the
pre-script-kiddie world, this would have been a quasi-legit packet but
NOW, it's NOT! Technology exists to allow all LEGIT traffic to be properly
tunneled. If they want to VPN, do it two-way. Otherwise, NIX IT!
> You may be entirely happy with your filter, and it may be doing
> exactly what you want it to do. I won't dispute that. But the fact
> remains that your filter cannot tell a spoofed packet from an
> unspoofed packet. And there's a simple reason for this -- your filter
> can't tell where a packet actually originated, and that's what you
> need to know to tell whether it's spoofed or not.
My filter knows if we're ANNOUNCING a route to the originating
address. If we're NOT, we NIX the packet. No way back -- No way
from. It's that simple.
>
> Do you understand my point yet? A filter cannot tell a spoofed
> packet from an unspoofed packet. We've gone back and forth about four
> times and this simple point still seems to elude you. I wish I liked
> to play the name calling game as much as you do.
I've understood all along. And you're mistaken. Filters know what you
tell them. If you're announcing a route, you should accept traffic
to/from it. If not, you nix it. It's that simple.
As for name calling, I've exercised my weekly allotment of restraing in
the past 2 hours. Get a clue, PLEASE.
> DS
>
> PS: Am I the only one who was actually a little happy the day
> some big name sites got hit with DDoS attacks thinking this would
> finally bring some attention and real solutions to the problem of DoS
> attacks? Am I the only one disappointed with the fact that things have
> not gotten significantly better since then?
>
Yes. You are amount an elite STUPID few who found gratification in an
event that cause the REAL networks on the wire tons of grief. Your
statement above has caused me to disgard any remaining respect I might
have had for you because it is DUMB %^&#Ks like YOU that allowed it to
happen in the first place. Had the attacks come from source addresses
that were known to only originate from network-X, it would be easy to
NIX. Because of the fact that there are so manu clueless individuals like
yourself our there (and providers who are more than happy to sell you
connectivity), the attack was MUCH MORE EFFECTIVE.
As for things getting better, they won't until the clueless take a hint
from:
(1) History
(2) Those of us who already have a clue.
---
John Fraizer
EnterZone, Inc
More information about the NANOG
mailing list