Re: [apnic-talk] NICs and Egress filtering?
Phil and all,
Interesting topic. (See more of my comments below)
Phil Crooker wrote:
> Hi,
>
> I look after Internet security for our company and have often wondered
> ....
>
> Considering how important egress filtering of spoofed IP addresses in
> preventing Distributed Denial Of Service attacks, I was wondering
> whether APNIC and the other NICs have considered requiring IP address
> holders to apply egress
> filters on their boundary routers?
Egress filtering is only one such method of dealing with these problems.
Requiring only one such method is inconsistant with good IP address
and router management in some sectors. I am afraid it would meet with
some significant resistance.
>
>
> It seems to me the major NICs are about the only body that have the
> where-with-all to enforce these filters. Once done, we would not only
> eliminate DDOS attacks but also make DOS trackable, eliminate spam
> spoofing and hacker techniques that use spoofing.
Egress is also "Spoofable" as has been already shown.
>
>
> I guess the main problem would be how to test for it externally.
>
> Anyone care to comment?
Just did. >;)
>
>
> regards,
> --
>
> Phil Crooker ORIX Australia 61 8 8443 6844
> UNIX SysAdmin pcrooker at orix dot com dot au 61 8 8443 6955 (fax)
>
> * APNIC-TALK: General APNIC Discussion List *
> * To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *
Regards,
--
Jeffrey A. Williams
Spokesman INEGroup (Over 112k members strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1 at ix dot netcom dot com
Contact Number: 972-447-1800 x1894 or 9236 fwd's to home ph#
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *