On 1999-09-02T11:44:12, "Gert Doering, Netmaster" <netmaster@space.net> said:
On our ingress interfaces to our customers, we have very strict access lists ("permit ip <customer net> any / deny ip any any log").
Same here. A very good idea anyway, not just because of security, but because of customers who think "lets just continue increasing the last digit!". And I wish I had more time to work on the security issues. Fascinating topic. But there are so many fascinating topics and only 24hours plus the night per day...
On our external interfaces from our upstreams we deny packets with a source address coming from one our network blocks.
We also filter private addresses & martians. Sometimes a few of those come through. And on the outgoing interfaces we filter packets going to our own netblocks, so that we don't accidentially leak because of fucked up routing. And then there are the filters on the BGP4 sessions to prevent someone from injecting bogus routes into our AS (remember that EBGP learned routes take precedence over IGP, and more specific routes always take precendence, so if you don't filter correctly, someone might hijack one IP from your network).
Interesting enough, we don't observe many attacks - what we do see is LOTS of broken end user configurations (leaking RFC 1918 networks, customers leaking IP addresses from other ISPs, ...).
Yeah. But it also helps to prevent smurf attacks etc. I do see a need for a RIPE Security WG to point these issues out to all ISPs/LIRs so at least those easy measures get taken. According to the annual report from last year, funding shouldn't be that much of a problem ;-) Sincerely, Lars Marowsky-Brie -- Lars Marowsky-Brie Network Management teuto.net Netzdienste GmbH