What do you want your ISP to block today?
Gerardo Gregory
ggregory at affinitas.net
Sat Aug 30 13:55:26 UTC 2003
> >He added that ISPs have the view and ability to prevent en-masse
> > attacks. "All these attacks traverse their networks before they reach
> > you and me. If they would simply stop attack traffic that has been
> > identified and accepted as such, we'd all sleep better," Cooper said.
Frankly I dont want any of my ISP's filtering any of my traffic. I
think we need (especially enterprise administrators like myself) to take
some responsibility, and place our own filters. Filters not only to stop
the ingress attack but to also filter our own egress traffic.
I have encountered many private administrators who have the mentality
that all they need to do is filter the ingress traffic and do not place
egress filters on their networks. TSK TSK TSK!!!!!
Individuals like Rob Thomas, and countless others provide frequently
updated Bogon Lists, templates, etc. apply these to your edge. This is your
first layer of filtering. Make sure to apply NULL routes to the BOGONS so
you block these on the egress. Apply prefix list if you are a BGP speaker
(keep that routing table clean), and access list at your ingress point to
block any traffic from a BOGON (Bogus!!!) address. Now you are ready for
your next filters.
Use a chokepoint, and filter now your TCP/UDP ports, or any other
protocols you run internally (MS PORTS???). Making an all inclusive filter
is the only way to go here.
Now keep yourself informed and modify your filters to mitigate attacks,
etc.
This might not be the easy way (easy way would be to say...Hey ISP it's
on you now...Filter this stuff!!!!) but it is the only sure way to protect
that network you administrate (which is your responsibility not the ISP's).
Frankly all I want my ISP to do is to maintain my link with them,
provide to me BGP routes, and accept my advertisements.
Your BOGONS are easily maintained since once again individuals like Rob
Thomas update their templates accordingly (THANKS!!!!!!!), and are nice
enough to also inform the list of upcoming changes.
A big letter "L" should be stamped on anyone's forehead who was allowing
ingress traffic on those MS ports (and even more so if they where allowing
it to egress also).
Microsoft cannot blame the ISP networks for not filtering the ports used
by their proprietary protocols. Shame on them, shame on all those that left
these ports open on their networks.
Even if ISP's would begin filtering (a thought that doesnt make me too
happy) I would never trust their filters because I have no control over
them. Yes I am that paranoid!!!!!!!
Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)
------------------------------------------------
Affinitas - Latin for "Relationship"
Helping Businesses Acquire, Retain, and Cultivate
Customers
Visit us at http://www.affinitas.net
More information about the NANOG
mailing list