Who *does* do ingress filtering? I have it on our border routers
and customer connect ports. We have transit from MCI and UUNET.
Neither has ingress filters -- see below message from MCI on
this.
We do ingress and egress filtering. It's just a matter of keeping people
on both sides of the border router from spoofing either by mistake or
maliciously.
The result of course is that spammers and other bad guys can try
to attack your systems with forged source IP addresses.
Random strange people in the 'net send "NETBIOS name service"
(port 137) packets to my unix mail relay, which of course ignores
them.
The NETBIOS name service comes from Winblows machines. I would venture to
guess that your mailserver also has a resolver running that is also most
likely authoritative for your or someones domain. Either that or you are
specifying that resolver via radius to your dialup clients.
When a Winblows box does a DNS lookup, for some reason, it will also send a
NETBIOS name service request thinking that there is a WINS resolver living
at the same IP. It's just another example of MS doing very strange things.
(Read: They don't know $h!t about IP and show it regularly!)
The dialup provider that these requests is originating should be filtering
port 137 on egress to prevent it from making it to the global internet.
Then again, we should all be egress and ingress filtering, filtering ICMP
to our broadcast and network addresses and sending money to our favorite
charity too. No matter how much we harp, there will be idiots with the
keys to the router cabinets who just won't do the right thing.