[NCLUG] Egress Filtering

Charles Clarke clarke at clarkecomputer.com
Wed Aug 8 08:06:41 MDT 2001


On Wed, 8 Aug 2001, Mark Fassler wrote:

> If it does affect the performance of the router significantly, then it 
> might be difficult to get many people to implement it.  (egress filtering 
> doesn't protect *your* network, it only protects the rest of the 
> Internet..)
> 
> If egress routing was implemented on the majority of routers (and 
> certainly all the big ones) this would stop many DDoS attacks.
> 
> Since this is something that would only be mutually beneficial and not 
> individually benificial, perhaps it would be appropriate for the 
> government to require that all new routers implement egress routing.

Seems like it would mainly be need on the outer edges where machines
can inject packets.  If we only have a router talking to other routers,
then as long as the routers talking to machines implement it, we don't
need to.

Also, you could argue that by limiting your legal exposure and
bandwidth(those pesky crackers won't use you for an ISP and you *know* how
much bandwidth they suck up and their other attacks that are traceable to 
your network take up support/legal time! :), it is individually
beneficial.  There are probably even other arguments....

charles




More information about the NCLUG mailing list