[17265] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: ingress filtering

daemon@ATHENA.MIT.EDU (Mr. Dana Hudes)
Thu May 28 14:47:44 1998

Date: Thu, 28 May 1998 14:11:41 -0400
From: "Mr. Dana Hudes" <dhudes@graphnet.com>
To: nanog@merit.edu

I have more than 2 routers and less than 100. One thing I've
found
with some source addresses of mine coming from the upstream is
packets in a piece of PA space. For example, I have some
addresses
from my own PA /19 and some in /20 from UUNET. My UUNET /20 is
part of a /11 of theirs. So if packets of mine come into my
router
but have no more-specific route from my IGP then off they go to
UUNET.
UUNET throws them back at me.  The solution is a static blackhole
for the announcement. somehow all this was easier with GateD,
which
made the blackhole for me automatically -- or maybe its fond but
hazily wrong memories. In any case, the blackhole routes for ones
own allocations help block wayward packets.
Now if I could make those blackholes properly propagate in
OSPF....

Dana

Brian Horvitz wrote:
> 
> I have the luxury of being able to filter for source address at my ingress
> points on only two routers.  That makes it relatively easy to do.  I find
> a surprising number of packets with source addresses from inside my
> network or from the private IP space.
> 
>   Brian
> 
> On Thu, 28 May 1998, Mr. Dana Hudes wrote:
> 
> > Who *does* do ingress filtering? I have it on our border routers
> > and customer connect ports. We have transit from MCI and UUNET.
> > Neither has ingress filters -- see below message from MCI on
> > this.
> > The result of course is that spammers and other bad guys can try
> > to attack your systems with forged source IP addresses.
> > Random strange people in the 'net send "NETBIOS name service"
> > (port 137) packets to my unix mail relay, which of course ignores
> > them.
> > Other such fun things continue to be seen in the logs.
> >
> >
> > Subject: Re: RFC1918 addresses from MCI
> >    Date: Thu, 28 May 1998 08:16:23 -0700
> >    From: security@mci.net
> >       To: dhudes@graphnet.com
> >      CC: security@mci.net
> >
> > Mr. Hudes,
> >
> >
> > Thank you for your note.  MCI does not currently source filter
> > address
> > space at it's ingress points.  Addresses sourced from
> > non-routable or
> > invalid addresses are not blocked or filtered.  Addresses
> > destined to
> > non-routable addresses spaced are not routed.
> >
> > If you think it is a security issue and it is on-going then
> > please
> > contact us with the target address so we can investigate.
> >
> >
> > Regards,
> >
> >
> > -Julian Min
> >

home help back first fref pref prev next nref lref last post