Bugtraq mailing list archives
Re: DDOS Attack Mitigation
From: MatthewS () STAFF BRUNNET NET (Stainforth, Matthew)
Date: Wed, 16 Feb 2000 08:34:53 -0400
It might be of some benefit to note that 3Com's newer Total Control router cards (HiPerARCs) have this feature built in with the command enabLE ip sourCE_ADDRESS_FILTER. This does, however, break the functionality of routing subnets to dial customers. And it doesn't put significant load on the router cards themselves since they've been over-engineered as far as I can tell. So there is at least one vendor stepping in the right direction. Matt...
-----Original Message----- From: Homer Wilson Smith [mailto:homer () LIGHTLINK COM] Sent: Monday, February 14, 2000 4:16 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: DDOS Attack Mitigation Ingress/egress filters can be problematic, its not just a performance problem. With upstream providers being real harsh on handing out IP ranges, and insisting that every IP subnet be used regardless of how many criss cross routes we have to put in our many routers to do it, the access lists also become complicated and prone to error. One can be unforgiving and say "So what, its the ISP's job to do it right." but many ISP's opt to keep it simple. For example presently we have filters on our border routers, but not our inner routers which have complex criss cross routing tables as we send subnets in every which direction. Thus presumably our customers can spoof each other, but not the external world. If it gets out of hand we will take the next step. Of course you are right though, much of the way to keep people from coming in and doing damage is for everyone to make sure their customers can't get out and do damage. This is really the only workable model for stopping spam, you stop it going out, as stopping it from coming in is hopeless. Homer -------------------------------------------------------------- ---------- Homer Wilson Smith Clear Air, Clear Water, Art Matrix - Lightlink (607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY homer () lightlink com Is that too much to ask? http://www.lightlink.com On Sun, 13 Feb 2000, Darren Reed wrote:In some mail from Elias Levy, sie said: [...]Network Ingress Filtering: -------------------------- All network access providers should implement networkingress filteringto stop any of their downstream networks from injectingpackets withfaked or "spoofed" addressed into the Internet. Although this does not stop an attack from occurring itdoes make itmuch easier to track down the source of the attack andterminate itquickly. For information on network ingress filtering read RFC 2267: http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txtYou know if anyone was of a mind to find someone at fault over this, I'd start pointing the finger at ISP's who haven't been doing this due to "performance reasons". They've had the ability to do it for years and in doing so would seriously reduce the number andpossibilityof "spoofing" attacks. Darren
Current thread:
- Re: DDOS Attack Mitigation Elias Levy (Feb 11)
- <Possible follow-ups>
- Re: DDOS Attack Mitigation Darren Reed (Feb 15)
- Re: DDOS Attack Mitigation Stainforth, Matthew (Feb 16)
- Re: DDOS Attack Mitigation Elias Levy (Feb 18)
- Re: DDOS Attack Mitigation Randy Bush (Feb 18)