[52743] in North American Network Operators' Group
Re: Who does source address validation? (was Re: what's that smel l?)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Oct 10 02:23:27 2002
To: Steve Francis <steve@expertcity.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Wed, 09 Oct 2002 22:43:50 PDT."
<3DA51396.3000403@expertcity.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 10 Oct 2002 02:22:43 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-463640201P
Content-Type: text/plain; charset=us-ascii
On Wed, 09 Oct 2002 22:43:50 PDT, Steve Francis said:
> That's not terribly hard to overcome - allow icmp unreachables (from any
> source) in your acl, then deny all traffic from RFC 1918 addresses,
> then the rest of the ACL.
>
> Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up
> with all the functionality, and almost none of the bogus traffic.
Amazingly enough, although there's a number of offenders in the 1918-numbered
tunnel category, we decided it was easier to just not worry about talking to
those provider's victi^H^H^H^H^Hcustomers(*). We got tired of watching all the
DDoS-backscatter ICMP that *also* shows up with 1918 addresses on it. When
those show up, it means that some provider didn't filter whoever was forging
our address *AND* some provider wasn't filtering the 1918-sourced ICMP. The
fact it's probably two different providers is enough to make you give up trying
to do something nice for the net and just go have too many beers instead.;)
/Valdis
(*) The problem usually tends to be self-correcting - the host that got bit
the most was our Listserv machine - and if outbound mail got hosed up for
TOO long, it would bounce, the victim would get unsubscribed, and no more
problems - at least till they manage to resubscribe. Life got much nicer
once I made sure the "You must now confirm your subscription" message was
long enough to always trigger a 'frag needed'. ;)
--==_Exmh_-463640201P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE9pRyzcC3lWbTT17ARAlNBAJ93XkuVxMSh3imZpXMiDTQSD/dvwwCg4hmR
UMhaVJFZR2KXhNCjAC4PDww=
=wqZt
-----END PGP SIGNATURE-----
--==_Exmh_-463640201P--
