Re: [apnic-talk] NICs and Egress filtering?
thanks for the reply -- comments below
Joe Abley wrote:
>
> On Mon, Jan 08, 2001 at 11:06:08AM +1030, Phil Crooker wrote:
> > Hi,
> >
> > I look after Internet security for our company and have often wondered
> > ....
> >
> > Considering how important egress filtering of spoofed IP addresses in
> > preventing Distributed Denial Of Service attacks, I was wondering
> > whether APNIC and the other NICs have considered requiring IP address
> > holders to apply egress filters on their boundary routers?
>
> I think the more usual place to apply filters to catch spoofing is
> on the ingress to your network, on the customer-facing circuit.
> Packet filtering is frequently expensive, which is a good reason
> to push it out to the edge.
>
An egress filter prevents spoofed addresses entering the Internet from
that router -- say I'm an ISP with clients that have compromised PC with
a DDOS program; an egress filter will prevent those packets with spoofed
source IP addresses from leaving my router.
> > It seems to me the major NICs are about the only body that have the
> > where-with-all to enforce these filters.
>
> How would they enforce them?
No filter, no route your network of course! The technical difficulty as
I see it would be to test for this externally to the router with the
filter -- I don't know enough about IP to know if it is possible.
--
Phil Crooker ORIX Australia 61 8 8443 6844
UNIX SysAdmin pcrooker at orix dot com dot au 61 8 8443 6955 (fax)
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *