Who *does* do ingress filtering? I have it on our border routers
and customer connect ports. We have transit from MCI and UUNET.
Neither has ingress filters -- see below message from MCI on
this.
The result of course is that spammers and other bad guys can try
to attack your systems with forged source IP addresses.
Random strange people in the 'net send "NETBIOS name service"
(port 137) packets to my unix mail relay, which of course ignores
them.
Other such fun things continue to be seen in the logs.
I have the luxury of being able to filter for source address at my ingress
points on only two routers. That makes it relatively easy to do. I find
a surprising number of packets with source addresses from inside my
network or from the private IP space.
Brian
The great thing about the CC images released by cisco
(as long as you're running with ip cef or ip cef dist), you can turn
this neato command on your interfaces to your customers:
ip verify unicast reverse-path
This automatically does filtering based on your local routers
routing table.
This means you can take a customer connection and filter them.
You will encounter problems if they are multihomed and have
netblocks that you don't route directly to them, but you can make
those changes later as they multihome. We've had a few problems with
our customers and doing this, when we don't route all their address
space, but this is easily fixed. Asymetrical routing is an evil you
have to live with and adjust to, so if you have more than
one upstream, I would not apply such filters to those interfaces.
I would recommend that everyone who has the ability to do this
on their routers do so. This will help many possible problems.
If we can get enough people to make this part of their default
configuration (such as no ip directed-broadcast is these days) on their
ports to customers, we could prevent many DoS attacks. If you have
dialup lans (ie: mci, uunet, etc.. who have big public dialup pools)
PLEASE filter these, as well as the smaller providers out there.
- jared