[6706] in bugtraq
Re: improved synflood protection & detection
daemon@ATHENA.MIT.EDU (Gert Doering)
Fri May 8 14:43:50 1998
Date: Wed, 6 May 1998 23:17:07 +0200
Reply-To: Gert Doering <gert@GREENIE.MUC.DE>
From: Gert Doering <gert@GREENIE.MUC.DE>
X-To: vax@LINKDEAD.PARANOIA.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199805061054.FAA04766@linkdead.paranoia.com> from VaX#n8 at "May
6, 98 05:54:37 am"
Hi,
VaX#n8 wrote:
[..]
> Consulting
> <URL:ftp://ftp.isi.edu/in-notes/iana/assignments/ipv4-address-space>
> one finds that there are several classes of reserved addresses,
> distinct from the private addresses codified in the related RFCs:
[..]
> It may be worthwhile to generate list of all address blocks not
> recently routed and construct a filter based on those.
This list will be very large due to the highly fragmented nature of 192/8,
for example, and will be ever-changing.
As long as there is no automatized way to generate this list, for example
by a routing registry like "whois.ra.net", but more complete and better
authenticated against erroneous objects, this is doomed to fail due to
high maintenance efforts.
On the other hand, I can only urge every internet service provider out
there to carefully read RFC2267 ("Network Ingress Filtering") and apply
strong filters to all customer lines. After all, you KNOW very exactly
which IP addresses this customer is using (you route them to him), so
you can easily filter all packets with other source addresses.
While this won't immediately have any benefits to your network, it has
enormous benefits to everybody else -- they can't be attacked by your
customers any more. (Thanks to Alan Cox for pointing this out to me, and
to Paul Ferguson for writing the RFC about it!).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
