RE: Access Lists

It is more of a case of at all. My associates feel that if a downstream
ISP pissed someone off, it is their problem to solve, not ours. We do
filter traffic not destined for our IP space at our borders, but, for
the same reasons you stated, do nothing outbound, except on our BGP
sessions where we don't want certain netblocks routed in the Internet.
My concern is, if a perpetrator is persistent enough, he can write a
ping flood program that uses some obscure ICMP type that is rarely used,
say net-tos-redirect, and get in that way. Even if we were to block
ICMP completely, which would take away source-quench, he could use UDP,
or perhaps even TCP syn floods and the like to get at this guy. Either
way, it is a difficult situation. Moreover, it is difficult to trace
this stuff back through, because I have to get every ISP, NSP, etc, etc
involved in order to trace spoofed IP addresses.

Ho do you block spoofed IP addresses? I am already blocking ICMP
redirects and IP source routed packets. Is there a better way, or
should I just tell my customer to deal? I want to prevent this from
consuming my bandwidth as well.

Thanks!

-Chris

Deepak Wrote

Are you trying to avoid a precedent of filtering at all or just filter
at
a whim? I don't think its really possible nowadays to be responsible and
not do _any_ filtering.

I'd love to be able to not, but sometimes we have to. We also block
source
routed packets at our borders. We filter all inbound traffic to make
sure
it is destined for IPs that we route for (we can't filter outbound both
by
policy and technical difficulty).

-Deepak.

It's not always the ISP's fault... and while they should be the ones
ultimately responsible for protecting themselves against DoS attacks,
if a downstream of ours had a similar problem and came to us for aid, we
would probably at least make some attempt to help them get the problem solved.

I think there is a way to block spoofed addresses on the 75xx series, but as
I am not the Cisco/IOS expert here, I'm not sure exactly what it is. I am
going to check with the boss and if he has an answer I will present it here.

Hey Martin - is the address that is spoofed - one of your allocations -
cuz you can inbound filter internal addresses and apply the acl to the
HSSI's on your 7500 series (if that is what is being spoofed)