Well, if they would push out IP address filters to CPE routers or CPE
interfaces to only allow packets with the customers assigned source
addresses, then a lot of problems would just go away.
But universities can do the same internally, by putting address filters on
its own sub networks. Some university internal networks are quite
complicated, with a large number of sub networks. Simply preventing
spoofed IP addresses, or containing them to their sub network, would do a
lot to contain abusers, and probably dissuade them from conducting abuse.
--Dean
On Fri, 26 Sep 2003, Rich Graves wrote:
> On Fri, 26 Sep 2003 [EMAIL PROTECTED] wrote:
>
> > Which brings us to my question. Is there a way to harden a network such
> > that infected systems can live on that network without significantly
> > affecting the bandwidth swallowed by the other users? What methods are
>
> Recent cisco routers can policy-route only icmp traffic of the particular
> size used by welchia, and recent cisco switches can traffic-shape or filter
> in hardware at the port level.
>
> http://security.uconn.edu/uconn_response.html
> http://go.brandeis.edu/rpc
>
> I think most dsl/cable modem ISPs have pushed icmp and 135-139 filters out
> to the cable modem/dsl router at the customer location. What this means for
> universities is that the ISPs simply don't care, so users are free to pick
> up their pre-compromised computer and take it to our networks which have
> file sharing open -- except at Stanford, which has killed all Windows
> networking, see http://securecomputing.stanford.edu/port-filter.html
> --
> Rich Graves <[EMAIL PROTECTED]>
> UNet Systems Administrator
>
>
> ---
> Send mail for the `bblisa' mailing list to [EMAIL PROTECTED]'.
> Mail administrative requests to [EMAIL PROTECTED]'.
>
---
Send mail for the `bblisa' mailing list to [EMAIL PROTECTED]'.
Mail administrative requests to [EMAIL PROTECTED]'.
