[Dshield] Bizarre Activity Spurt...

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Thu Oct 20 18:05:58 GMT 2005


On Thu, 20 Oct 2005 18:34:51 +0200, Freek de Kruijf said:

> This brings me to the question why Internet Exchange Centers don't have 
> proper anti-spoof filters.

Because it's an incredible pain to do that at a peering point (which is what I
think you meant by 'internet exchange center').  The problem is that it's
pretty easy to put an ingress filter on our main connection to our main
provider (i.e. right on the border of AS1312) that (for example) only lets
packets for 128.173/16 and 198.82/16 to go through, since those are the two
major address blocks for our AS.

It's a lot harder to do proper filtering where our upstream (AS7066 -
networkvirginia) talks to the rest of the net, and by the time it gets to the
Sprint backbone, it's almost impossible, due to the problems caused by
assymetric routing.  In other words, if there's more than one known path,
you don't always know which one it will take.  So stuff like uPRF checking
doesn't work except for single-homed sites right on the edge.

Another issue is that it's not too hard to do filtering on our main pipe, because
it's only in the OC12 to OC48 class.  You get to a major peering point, and you
might have the equivalent of multiple OC96 and OC192 links coming and going.  If
the added overhead of doing "proper" filtering means that you need a second
router, that may be a million dollars or more costs, for not much gain in
security (because carrier-class routers are almost always deployed in places where
simple uPRF won't work anyhow).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051020/3f8148bf/attachment.bin


More information about the list mailing list