Bugtraq mailing list archives

Re: DDOS Attack Mitigation

From: homer () LIGHTLINK COM (Homer Wilson Smith)
Date: Mon, 14 Feb 2000 15:16:14 -0500


    Ingress/egress filters can be problematic, its not just a performance
problem.  With upstream providers being real harsh on handing out IP
ranges, and insisting that every IP subnet be used regardless of how many
criss cross routes we have to put in our many routers to do it, the access
lists also become complicated and prone to error.

    One can be unforgiving and say "So what, its the ISP's job to do it
right." but many ISP's opt to keep it simple. For example presently we
have filters on our border routers, but not our inner routers which have
complex criss cross routing tables as we send subnets in every which
direction.  Thus presumably our customers can spoof each other, but not
the external world.

    If it gets out of hand we will take the next step.

    Of course you are right though, much of the way to keep people from
coming in and doing damage is for everyone to make sure their customers
can't get out and do damage.  This is really the only workable model for
stopping spam, you stop it going out, as stopping it from coming in is
hopeless.

    Homer

------------------------------------------------------------------------
Homer Wilson Smith   Clear Air, Clear Water,  Art Matrix - Lightlink
(607) 277-0959       A Green Earth and Peace. Internet Access, Ithaca NY
homer () lightlink com  Is that too much to ask? http://www.lightlink.com

On Sun, 13 Feb 2000, Darren Reed wrote:

In some mail from Elias Levy, sie said:
[...]

Network Ingress Filtering:
--------------------------

All network access providers should implement network ingress filtering
to stop any of their downstream networks from injecting packets with
faked or "spoofed" addressed into the Internet.

Although this does not stop an attack from occurring it does make it
much easier to track down the source of the attack and terminate it
quickly.

For information on network ingress filtering read RFC 2267:
http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt


You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons".  They've had the ability to do it for
years and in doing so would seriously reduce the number and possibility
of "spoofing" attacks.

Darren

Current thread:

NetBSD Security Advisory 1999-012, (continued)
- - - NetBSD Security Advisory 1999-012 Daniel Carosone (Feb 15)
    - Re: DDOS Attack Mitigation Chris Cappuccio (Feb 15)
    - Re: DDOS Attack Mitigation Carson Gaspar (Feb 15)
    - Re: DDOS Attack Mitigation John Edwards (Feb 15)
    - Re: DDOS Attack Mitigation Ryan Russell (Feb 16)
    - Administrivia Elias Levy (Feb 16)
    - Re: DDOS Attack Mitigation John Payne (Feb 14)
    - Re: DDOS Attack Mitigation Julien Nadeau (Feb 14)
    - Re: DDOS Attack Mitigation Bennett Todd (Feb 15)
    - rp_filter? (was Re: DDOS Attack Mitigation) Julien Nadeau (Feb 18)
    - Re: DDOS Attack Mitigation Homer Wilson Smith (Feb 14)
    - Re: DDOS Attack Mitigation Andrzej Bialecki (Feb 14)
    - Re: DDOS Attack Mitigation Darren Reed (Feb 14)
    - "Association of Responsible Internet Providers"? David Nesting (Feb 15)
    - Re: DDOS Attack Mitigation Andreas Busse (Feb 15)
    - Re: Evil Cookies. Ari Gordon-Schlosberg (Feb 08)
    - Re: Evil Cookies. Michael Bryan (Feb 08)
    - Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
    - Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
    - Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
    - Re: Statistical Attack Against Virtual Banks HC Security (Feb 09)

(Thread continues...)