Blocking worms/ddos for customer for free?
Daniel J. Evans
zpiggy1 at skwire.net
Mon Dec 6 20:28:18 UTC 2004
We have bogon filters in place to filter ingress traffic from our
upstreams. As for blocking worms and other nasties our views have
changed with the increasingly hostile climate...
In the past we have taken the approach that a "service provider" should
do exactly that - provide service. Since we didn't offer a managed
firewall service it was the responsiblity of our customers to protect
themselves and others from their infected machines. At the risk of
pouring gas on the fire, I think we're all aware of how well this works
in the face of Blaster, Nachi, Code Red, and others.
As it stands now, we attempt to block this type of traffic before it
enters our network where possible. Not because we want to protect the
65 year-old retired school teacher who just signed up for his first DSL
account with no firewall, no antivirus software, etc. Our focus is
strictly to protect our access and distribution routers from having to
deal with the flood of unnecessary collateral traffic associated with
Grandpa** and his new fandangled internet thingy.
--
It's not easy juggling a pregnant wife and a troubled child, but
somehow I still manage to squeeze in 8 hours of TV a day.
- Homer Simpson
Daniel Evans
On Mon, 6 Dec 2004 21:46:04 +0200
Kim Onnel <karim.adel at gmail.com> wrote:
>
> Hello,
>
> Currently, on our ingress, we block spoofed packets, common worms/trojans ports.
>
> We do that for all of our customers(residential DSL, Dial-up,
> Corporate DSL, and the data center hosted websites/servers), however,
>
> For me there are 2 ways to look at it,
> if i leave these worms to come in, they would consume our bandwidth
> and CPU, and on the other hand, it looks like we're giving a free
> service, which in a way uses up our resources,
>
> Its the same for DDoS, if i stop it for a customer, i'm giving him a
> free a service, if i dont, its gonna wreck my network.
>
> Personally, i block the illegitimate packets out of my network(egress)
> but thats because i owe this to the internet community, even if i am
> not getting paid for it.
>
> I would like to know other providers policy about this?
More information about the NANOG
mailing list