North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What do you want your ISP to block today?

  • From: Gerardo Gregory
  • Date: Sat Aug 30 10:10:35 2003

>He added that ISPs have the view and ability to prevent en-masse
> attacks. "All these attacks traverse their networks before they reach
> you and me. If they would simply stop attack traffic that has been
> identified and accepted as such, we'd all sleep better," Cooper said.
Frankly I dont want any of my ISP's filtering any of my traffic. I think we need (especially enterprise administrators like myself) to take some responsibility, and place our own filters. Filters not only to stop the ingress attack but to also filter our own egress traffic.
I have encountered many private administrators who have the mentality that all they need to do is filter the ingress traffic and do not place egress filters on their networks. TSK TSK TSK!!!!!
Individuals like Rob Thomas, and countless others provide frequently updated Bogon Lists, templates, etc. apply these to your edge. This is your first layer of filtering. Make sure to apply NULL routes to the BOGONS so you block these on the egress. Apply prefix list if you are a BGP speaker (keep that routing table clean), and access list at your ingress point to block any traffic from a BOGON (Bogus!!!) address. Now you are ready for your next filters.
Use a chokepoint, and filter now your TCP/UDP ports, or any other protocols you run internally (MS PORTS???). Making an all inclusive filter is the only way to go here.
Now keep yourself informed and modify your filters to mitigate attacks, etc.
This might not be the easy way (easy way would be to say...Hey ISP it's on you now...Filter this stuff!!!!) but it is the only sure way to protect that network you administrate (which is your responsibility not the ISP's).
Frankly all I want my ISP to do is to maintain my link with them, provide to me BGP routes, and accept my advertisements.
Your BOGONS are easily maintained since once again individuals like Rob Thomas update their templates accordingly (THANKS!!!!!!!), and are nice enough to also inform the list of upcoming changes.
A big letter "L" should be stamped on anyone's forehead who was allowing ingress traffic on those MS ports (and even more so if they where allowing it to egress also).
Microsoft cannot blame the ISP networks for not filtering the ports used by their proprietary protocols. Shame on them, shame on all those that left these ports open on their networks.

Even if ISP's would begin filtering (a thought that doesnt make me too happy) I would never trust their filters because I have no control over them. Yes I am that paranoid!!!!!!!
Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)
Affinitas - Latin for "Relationship"
Helping Businesses Acquire, Retain, and Cultivate
Visit us at