RE: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T

[Pekka Savola <pekkas () netcore fi>]

On Wed, 2 Jun 2004, Michel Py wrote:
> > Jon R. Kibler wrote:
> > IMHO, there is absolutely no excuse for not doing ingress and
> > egress filtering. In fact, if you are an ISP, I would argue
> > that you are negligent in your fiduciary responsibilities to
> > your customers and shareholders if you are not filtering
> > source IP addresses.
>
> Hey, I'm all for it. Where's the money and the staff?

set routing-options forwarding-table unicast-reverse-path feasible-paths
set interfaces yy-x/x/x unit 0 family inet rpf-check

What else do you need?

Or did you buy crap that doesn't support (good) uRPF, or even doesn't
support (line-rate) filtering?  Change the vendors and filter at your
core connecting those crappy boxes then.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings