[13885] in bugtraq
Re: DDOS Attack Mitigation
daemon@ATHENA.MIT.EDU (Stainforth, Matthew)
Thu Feb 17 06:37:02 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <B300A00CA469D211A37200A024CC29754196CC@BRUN_SM_FTON>
Date: Wed, 16 Feb 2000 08:34:53 -0400
Reply-To: "Stainforth, Matthew" <MatthewS@STAFF.BRUNNET.NET>
From: "Stainforth, Matthew" <MatthewS@STAFF.BRUNNET.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
It might be of some benefit to note that 3Com's newer Total Control router
cards (HiPerARCs) have this feature built in with the command enabLE ip
sourCE_ADDRESS_FILTER. This does, however, break the functionality of
routing subnets to dial customers. And it doesn't put significant load on
the router cards themselves since they've been over-engineered as far as I
can tell. So there is at least one vendor stepping in the right direction.
Matt...
> -----Original Message-----
> From: Homer Wilson Smith [mailto:homer@LIGHTLINK.COM]
> Sent: Monday, February 14, 2000 4:16 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: DDOS Attack Mitigation
>
>
> Ingress/egress filters can be problematic, its not just a
> performance
> problem. With upstream providers being real harsh on handing out IP
> ranges, and insisting that every IP subnet be used regardless
> of how many
> criss cross routes we have to put in our many routers to do
> it, the access
> lists also become complicated and prone to error.
>
> One can be unforgiving and say "So what, its the ISP's
> job to do it
> right." but many ISP's opt to keep it simple. For example presently we
> have filters on our border routers, but not our inner routers
> which have
> complex criss cross routing tables as we send subnets in every which
> direction. Thus presumably our customers can spoof each
> other, but not
> the external world.
>
> If it gets out of hand we will take the next step.
>
> Of course you are right though, much of the way to keep
> people from
> coming in and doing damage is for everyone to make sure their
> customers
> can't get out and do damage. This is really the only
> workable model for
> stopping spam, you stop it going out, as stopping it from coming in is
> hopeless.
>
> Homer
>
> --------------------------------------------------------------
> ----------
> Homer Wilson Smith Clear Air, Clear Water, Art Matrix - Lightlink
> (607) 277-0959 A Green Earth and Peace. Internet
> Access, Ithaca NY
> homer@lightlink.com Is that too much to ask? http://www.lightlink.com
>
> On Sun, 13 Feb 2000, Darren Reed wrote:
>
> > In some mail from Elias Levy, sie said:
> > [...]
> > > Network Ingress Filtering:
> > > --------------------------
> > >
> > > All network access providers should implement network
> ingress filtering
> > > to stop any of their downstream networks from injecting
> packets with
> > > faked or "spoofed" addressed into the Internet.
> > >
> > > Although this does not stop an attack from occurring it
> does make it
> > > much easier to track down the source of the attack and
> terminate it
> > > quickly.
> > >
> > > For information on network ingress filtering read RFC 2267:
> > > http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt
> >
> > You know if anyone was of a mind to find someone at fault over this,
> > I'd start pointing the finger at ISP's who haven't been doing this
> > due to "performance reasons". They've had the ability to do it for
> > years and in doing so would seriously reduce the number and
> possibility
> > of "spoofing" attacks.
> >
> > Darren
> >
>
