Re: SYN spoofing

[Wayne Bouchard <web () typo org>]

Right, but ISPs can still filter on the corporate networks and at the
aggregation points for DSL and dial and any non-bgp customer. Those
talking BGP to you should be encouraged to do similarly. The full
thing is like next to impossible to maintain but doing these kinds of
relatively stady-state bits and pieces can help.


> On Wed, 28 Jul 1999, Greg A. Woods wrote:
>
> > [ On Wednesday, July 28, 1999 at 11:21:35 (-0400), Daniel Senie wrote: ]
> > > Subject: Re: SYN spoofing
>
> > In fact it's easy to buy off-the-shelf hardware today that can do
> > wire-speed filtering, assuming one has worked such costs into the budget
> > of building a network backbone....
>
> It is possible to do access filtering on the edges.  Then comes the
> operational aspects of actually making such a thing scale across many many
> edge devices, especially when there are customers with their own space,
> and who may have customers behind them with _their_ own space.  If a
> promising local isp is providing transit to a bunch of other local isps,
> changing every access-list on every edge node every time one of the
> customer isp's adds or deletes a customer, becomes a logistical nightmare.
>
> Some promising local isp's are then faced with blowing out huge
> access-lists virtually every hour of the day, and this becomes harder to
> manage when you take into accounts and now you have several tens of
> promising local isps all trying to match access-lists all around.  Not to
> mention the actual physical limits on current hardware regarding the size
> of configurations. 
>
>
> /vijay


----------------------------------------------------------------------
Wayne Bouchard                             Frontier GlobalCenter
web () globalcenter net
Network Engineer
(602) 416-6290   800-373-2499 x6290
FAX: (602) 416-6111                        http://www.globalcenter.net
----------------------------------------------------------------------