When I worked at an ISP we would put anti-spoofing filters onto routers we leased to customers that block the private nets inbound and didnt allow them to spoof outbound. However we could do this only for customers who have their own router. We also couldnt do this on core routers because you might have 500 customers going through one ATM interface (via a switch) so the most you could do is allow customers to spoof each others addresses. On core routers which switch in hardware, ACL's normally push the switching through the CPU which hurts a lot. Also, given how many ISP staff didnt even know how to turn off packets sent to broadcast interfaces (see NANOG re smurf attacks a few years ago) its pretty clear people managing routers dont know much at all. ISP's are generally know to be reactionary rather than pro-active with security issues.
Slashdot Mirror
When I worked at an ISP we would put anti-spoofing filters onto routers we leased to customers that block the private nets inbound and didnt allow them to spoof outbound. However we could do this only for customers who have their own router. We also couldnt do this on core routers because you might have 500 customers going through one ATM interface (via a switch) so the most you could do is allow customers to spoof each others addresses. On core routers which switch in hardware, ACL's normally push the switching through the CPU which hurts a lot. Also, given how many ISP staff didnt even know how to turn off packets sent to broadcast interfaces (see NANOG re smurf attacks a few years ago) its pretty clear people managing routers dont know much at all. ISP's are generally know to be reactionary rather than pro-active with security issues.