On 5/12/18 03:14, Mark Andrews wrote: >> sure, that's a fine point. Doesn't actually change the state of the world where: "If your control-plane collapses, you have an unavailability event" which is a security problem. It's also an operational problem and likely a cost problem :( but... maintaining availability is part of what a good isp security group will do for the isp. > > And the correct thing to do is to FIX THE BROKEN PRODUCT. > > If a ssh implementation is broken we don’t drop SSH packets. We fix the broken implementation of ssh. > > If there is a SQL injection problem we fix that problem rather than dropping HTTP > and HTTPS packets. Bad analogy there. If you are vulnerable to SQL injection problems, you just stop trasting whatever crap is being sent to your app, and enforce checks on the input, usually based on what you'd expect or what one might consider "sane". -- some extremists might call some of that a deviation from "be liberal in what you accept". Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492