Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"

From: Barry Margolin (barmar@genuity.net)
Date: 12/31/02 

From: Barry Margolin <barmar@genuity.net>
Date: Tue, 31 Dec 2002 02:23:59 GMT

In article <pan.2002.12.31.00.50.11.460330@forme.com>,
Joe Schmoe <nomail@forme.com> wrote:
>On Mon, 30 Dec 2002 22:44:52 +0000, Barry Margolin wrote:
>
>> In article <pan.2002.12.30.20.49.41.320407@forme.com>, Joe Schmoe
>> <nomail@forme.com> wrote:
>>>On Mon, 30 Dec 2002 18:52:56 +0000, Barry Margolin wrote:
>>>> Since egress filtering forces organizations to use source addresses
>>>> that are assigned to them, you can use the source address to determine
>>>> what organization sent it.
>>>
>>>I know what you are saying and agree with you. But if the egress
>>>filtering is being done by your ISP, it is probably taking place at the
>>>border router for your subnet and that's as far back as they can trace
>>>it.
>>
>> Which is good enough, isn't it? They don't need to know which machine
>> is spamming, just what organization is, so that they can cancel your
>> connection if you don't stop.
>>
>> If the organization is also a service provider, they should be able to
>> further pin down which of their customers was using the specific IP at
>> the time.
>
>I dunno, maybe I am missing something here. Let's say you and me are both
>using mediaone as our ISP, your assigned IP is 207.46.249.222, mine is
>207.46.249.223...

My perspective was as an ISP that provides Internet connections to
enterprises, not consumer-grade broadband connections.

In our case, we assign 4.2.100.0/24 to Customer A, 4.2.101.0/25 to Customer
B, 4.2.101.128/25 to Customer C, and so on. If a packet comes in on
Customer A's T1 with a source address outside 4.2.100.0/24, the filter will
reject it. So Customer A can't spoof B or C's addresses, and vice versa.

Then if someone reports spam coming from 4.2.100.0/24, we know that it's
coming from one of Customer A's machines.

Actually, we don't really know that. It could be coming from some other
ISP that *doesn't* do egress filtering. But if the packets can be traced
back to coming from our backbone, we can be pretty sure that it came from
Customer A (not totally, though -- we have lots of multi-homed customers,
and can't enable "ip verify unicast reverse-path" on their connections --
but we know that it didn't come from Customers B or C, so it's narrowed
down considerably). 

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.