|
Hello,
On Mon, 15 Oct 2001, Peter Mueller wrote:
> > OTOH, your RS's ISP have to allow spoofed traffic with
> > src=212.43.218.153. The above traceroute should check it. Many
> > ISPs don't allow you to send traffic with foreign source address (the
> > VIP in your case).
>
> This is a DoS-defense behavior? I thought ISPs were all useless and your
> own routers had to have the right filter guards? When did this behavior
> start? ... not sure if I want my ISPs doing this kind of thing...
Yes, the end goal is anti-DoS, security, etc. But in some cases
the ISPs are not able to make all needed checks. I'm not guru and can't
comment all reasons. Of course, for your site where you know all networks
you can add the needed filters but this is for the incoming traffic. It
is again your responsibility to filter the outgoing traffic on your
edge routers, if possible. What you can't avoid is DoS from remote
clients using such relaxed filters.
> cheers (damn it is Monday)
>
> Peter
Regards
--
Julian Anastasov <ja@xxxxxx>
|
