[4941] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Dima Volodin)
Wed Oct 2 23:55:59 1996
To: pferguso@cisco.com (Paul Ferguson)
Date: Wed, 2 Oct 1996 23:52:37 -0400 (EDT)
Cc: dvv@sprint.net, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <2.2.32.19961003002034.006b5d0c@lint.cisco.com> from "Paul Ferguson" at Oct 2, 96 08:20:34 pm
From: dvv@sprint.net (Dima Volodin)
In the same document:
4. Liabilities
[...]
Also, while ingress filtering drastically reduces the
success of source address spoofing, it does not preclude an
attacker using a forged source address of another host
within the permitted prefix filter range.
I.e. a single compromised host in the "permitted prefix filter range"
can cause as much trouble as the current attacks. Granted, it's a bit
easier to track down a host like this, but eliminating the majority of
compromisable hosts is even more difficult than global implementation of
the cited document. The bitter irony is that non-implementation of this
draft will most probably corelate with presence of compromisable hosts.
Thus host-(and firewall-)based solutions are at least as important as
the ingress filtering.
As of the evidence of these attacks - they were evident long before the
current talking.
Dima
Paul Ferguson writes:
> [...]
> Well, this is what we [collectively] have been talking about doing
> as a 'best current practice' since the attacks became evident.
>
> Also, see:
>
> [snip]
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
> Title : Network Ingress Filtering
> Author(s) : P. Ferguson
> Filename : draft-ferguson-ingress-filtering-00.txt
> Pages : 6
> Date : 10/01/1996
> [...]
