It is more of a case of at all. My associates feel that if a downstream
ISP pissed someone off, it is their problem to solve, not ours. We do
filter traffic not destined for our IP space at our borders, but, for
the same reasons you stated, do nothing outbound, except on our BGP
sessions where we don't want certain netblocks routed in the Internet.
My concern is, if a perpetrator is persistent enough, he can write a
ping flood program that uses some obscure ICMP type that is rarely used,
say net-tos-redirect, and get in that way. Even if we were to block
ICMP completely, which would take away source-quench, he could use UDP,
or perhaps even TCP syn floods and the like to get at this guy. Either
way, it is a difficult situation. Moreover, it is difficult to trace
this stuff back through, because I have to get every ISP, NSP, etc, etc
involved in order to trace spoofed IP addresses.
Ho do you block spoofed IP addresses? I am already blocking ICMP
redirects and IP source routed packets. Is there a better way, or
should I just tell my customer to deal? I want to prevent this from
consuming my bandwidth as well.
Thanks!
-Chris
Deepak Wrote
Are you trying to avoid a precedent of filtering at all or just filter
at
a whim? I don't think its really possible nowadays to be responsible and
not do _any_ filtering.
I'd love to be able to not, but sometimes we have to. We also block
source
routed packets at our borders. We filter all inbound traffic to make
sure
it is destined for IPs that we route for (we can't filter outbound both
by
policy and technical difficulty).
-Deepak.