Block all servers?
jlewis at lewis.org
jlewis at lewis.org
Sat Oct 11 14:23:32 UTC 2003
Didn't susan ask for this topic to move off-list? Anybody (no...not
Merit) care to step up and create a nanog-issues list where such
discussions can continue unmolested when the nanog topic police declare an
important topic off-topic?
I can understand how some operators might not want to hang out with the
masses in spam-l or spam-tools, or waste their time with the noise and
kooks in nanae. But these are some pretty serious problems and if we
can't come up with solutions soon, the internet is pretty much totally
screwed.
See more below....
On Sat, 11 Oct 2003, Petri Helenius wrote:
> Secondly, it´s very hard, if impossible to come up with a NAT device which
> could translate a significant amount of bandwidth. Coming up with one to put
> just a single large DSLAM behind is tricky. (OC-12 level of bandwidth)
So do the NAT closer to the edge. If you're providing DSL, do many of
your customers use DSL modems plugged into their PCs (USB, PCI)?, or are
you selling/leasing them DSL routers? In the very beginning, we either
sold or gave PCI or USB DSL modems to our customers, but those were
usually a PITA to support due to problems with windows, driver issues,
hardware becoming unsupported when customers upgraded to the next version
of windows, etc. Now, we only hook up DSL customers using DSL routers,
and all the DSL routers we've ever used can do NAT, so there'd be no need
to try to do NAT at the DSL agg router.
I suspect we could selectively do NAT or not for dial-up customers on our
access-servers...though I'm not sure how the very large (like AS5400,
AS5800) units would fare trying to do NAT for several hundred dial-up
sessions.
But why all this talk of NAT? Even if we all universally deployed it on
monday, it wouldn't solve the problem. All it would do is keep the
spammer/hackers from turning grandma's PC into a web server/proxy. She
can still catch tuesday's email virus which will cause her PC to hang out
in some IRC channel or monitor some web page, and be remotely controlled
for the purpose of sending spam, participating in DDoS floods...and now
things just got much harder to track down. When you get complaints that
a.b.c.d is participating in some kind of attack, how do you tell which of
the dozens or hundreds of customers NAT'd to that IP is
responsible/infected?
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list