[Dshield] Private IP addresses

security@admin.fulgan.com security at admin.fulgan.com
Fri Jul 27 13:42:36 GMT 2001


>> My ISP doesn't bother to block 192.168 addresses on their own network,

JBU>   Overall, there is nothing wrong with an ISP using 'non routable' IPs
JBU> for internal machines. The problem is to filter them out on the gateway.
JBU> An ISP should not permit any traffic to leave its network with a source
JBU> IP that is not part of its public IP range. Also, it should not allow
JBU> any traffic in that is originating from non routable IPs.


Well, a really well-rounded ISP should:

1/ Properly filter out spoofed packets, both on their gateway and in
their client first node.

2/ By default filter NetBIOS ports.

3/ Run anti-virus scanners on their mail gateway.

4/ Have someone actually READ the filter logs.

Sadly, I have failed to find ANY ISP that follows more than one of
these...

Good luck,
Stephane




More information about the list mailing list