Whoops - I was transposing my email threadz .... sorry about that
Hey but I wish we could give the ISPs an incentive to filter or at least
enforce strict source address validation at ingress to the Internet
Sorry again
John
-----Original Message-----
From: Valdis.Kletnieks (at) vt (dot) edu [email concealed] [mailto:Valdis.Kletnieks (at) vt (dot) edu [email concealed]]
Sent: 03 February 2003 19:05
To: Joel Tyson
Cc: Incidents Mailing List
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
with spoofed microsoft.com ip)
On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtyson (at) pa.eplus (dot) com [email concealed]> said:
> The best way to handle these types of packets would be to route them to a
> null0 interface. This way the packets will be dropped without icmp
response.
> Typically all ISP should have these ACL's configured on their border
routers;
> but they don't.
There's not much financial incentive for many ISPs to filter - when you're
billing based on traffic volume, you don't really want all those probes to
go away. So what if 20% of the traffic is probes? That's 20% more income
for the provider, and many providers are in a financial crunch - that 20%
may be all that's keeping them afloat. As long as they don't get burned by
an SQL worm that takes out their infrastructure too, why should the filter?
/Valdis (who is having a more-cynical-than-usual day)
***********************
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and if you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. We honour similar requests relating to the privacy of email communications.
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Whoops - I was transposing my email threadz .... sorry about that
Hey but I wish we could give the ISPs an incentive to filter or at least
enforce strict source address validation at ingress to the Internet
Sorry again
John
-----Original Message-----
From: Valdis.Kletnieks (at) vt (dot) edu [email concealed] [mailto:Valdis.Kletnieks (at) vt (dot) edu [email concealed]]
Sent: 03 February 2003 19:05
To: Joel Tyson
Cc: Incidents Mailing List
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
with spoofed microsoft.com ip)
On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtyson (at) pa.eplus (dot) com [email concealed]> said:
> The best way to handle these types of packets would be to route them to a
> null0 interface. This way the packets will be dropped without icmp
response.
> Typically all ISP should have these ACL's configured on their border
routers;
> but they don't.
There's not much financial incentive for many ISPs to filter - when you're
billing based on traffic volume, you don't really want all those probes to
go away. So what if 20% of the traffic is probes? That's 20% more income
for the provider, and many providers are in a financial crunch - that 20%
may be all that's keeping them afloat. As long as they don't get burned by
an SQL worm that takes out their infrastructure too, why should the filter?
/Valdis (who is having a more-cynical-than-usual day)
***********************
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and if you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. We honour similar requests relating to the privacy of email communications.
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]