Re: [apnic-talk] NICs and Egress filtering?
While it is an admirable thought, I think it would be stepping on dangerous
ground if the registeries got involved in what ISPs did or did not do. The
registries, afterall, are only there to ensure the fair and reasonable
distribution of IP address space and AS numbers.
There are various RFCs (and BCP documents) produced by the community which
aim to provide all ISPs and end sites with the correct advice on how to go
about connecting to the Internet. You probably know about
http://www.denialinfo.com, which is probably one of the better places to
start looking for Internet security advice...
However, it is reasonable for APNIC's routing special interest group to
take the idea on, and produce a set of recommendations for the APNIC
membership, and further afield. The RIPE Working Groups operate on a
similar model, and have produced several valuable documents.
Maybe something to suggest at the APNIC members meeting at the end of
APRICOT? Or something for the APNIC Routing SIG meeting the day before?
philip
--
At 11:06 08/01/2001 +1030, Phil Crooker wrote:
>Hi,
>
>I look after Internet security for our company and have often wondered
>....
>
>Considering how important egress filtering of spoofed IP addresses in
>preventing Distributed Denial Of Service attacks, I was wondering
>whether APNIC and the other NICs have considered requiring IP address
>holders to apply egress
>filters on their boundary routers?
>
>It seems to me the major NICs are about the only body that have the
>where-with-all to enforce these filters. Once done, we would not only
>eliminate DDOS attacks but also make DOS trackable, eliminate spam
>spoofing and hacker techniques that use spoofing.
>
>I guess the main problem would be how to test for it externally.
>
>Anyone care to comment?
>
>regards,
>--
>
>Phil Crooker ORIX Australia 61 8 8443 6844
>UNIX SysAdmin pcrooker at orix dot com dot au 61 8 8443 6955 (fax)
>
>* APNIC-TALK: General APNIC Discussion List *
>* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *