What do you want your ISP to block today?

Gerardo Gregory ggregory at affinitas.net
Sat Aug 30 13:55:26 UTC 2003


> >He added that ISPs have the view and ability to prevent en-masse
> > attacks. "All these attacks traverse their networks before they reach
> > you and me. If they would simply stop attack traffic that has been
> > identified and accepted as such, we'd all sleep better," Cooper said.

    Frankly I dont want any of my ISP's filtering any of my traffic.  I 
think we need (especially enterprise administrators like myself) to take 
some responsibility, and place our own filters.  Filters not only to stop 
the ingress attack but to also filter our own egress traffic.
    I have encountered many private administrators who have the mentality 
that all they need to do is filter the ingress traffic and do not place 
egress filters on their networks. TSK TSK TSK!!!!!
    Individuals like Rob Thomas, and countless others provide frequently 
updated Bogon Lists, templates, etc. apply these to your edge.  This is your 
first layer of filtering.  Make sure to apply NULL routes to the BOGONS so 
you block these on the egress.  Apply prefix list if you are a BGP speaker 
(keep that routing table clean), and access list at your ingress point to 
block any traffic from a BOGON (Bogus!!!) address.  Now you are ready for 
your next filters.
    Use a chokepoint, and filter now your TCP/UDP ports, or any other 
protocols you run internally (MS PORTS???).  Making an all inclusive filter 
is the only way to go here.
    Now keep yourself informed and modify your filters to mitigate attacks, 
etc.
    This might not be the easy way (easy way would be to say...Hey ISP it's 
on you now...Filter this stuff!!!!) but it is the only sure way to protect 
that network you administrate (which is your responsibility not the ISP's).
    Frankly all I want my ISP to do is to maintain my link with them, 
provide to me BGP routes, and accept my advertisements.
    Your BOGONS are easily maintained since once again individuals like Rob 
Thomas update their templates accordingly (THANKS!!!!!!!), and are nice 
enough to also inform the list of upcoming changes.
    A big letter "L" should be stamped on anyone's forehead who was allowing 
ingress traffic on those MS ports (and even more so if they where allowing 
it to egress also).
    Microsoft cannot blame the ISP networks for not filtering the ports used 
by their proprietary protocols.  Shame on them, shame on all those that left 
these ports open on their networks.

    Even if ISP's would begin filtering (a thought that doesnt make me too 
happy) I would never trust their filters because I have no control over 
them.  Yes I am that paranoid!!!!!!! 

Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)
 ------------------------------------------------
Affinitas - Latin for "Relationship"
Helping Businesses Acquire, Retain, and Cultivate
Customers
Visit us at http://www.affinitas.net 




More information about the NANOG mailing list