Security Incidents mailing list archives
Re: Private networks and home.{net|com}
From: jpapen () YAHOO COM (Jeffrey Papen)
Date: Thu, 10 Feb 2000 16:00:10 -0800
I would totally disagree. AtHome as protected all of their internal router interfaces from DDoS attacks by having 1918 address space. It is true that pings/traceroutes can't originate from those routers, but it will be happily passed by them. The massive DDos Attacks this week have been aimed at the default gateway routers for the ISPs, and have proven very effective. I think that AtHome has very intelligently protected themselves. There are only two types router interfaces exposed to attack, the peering router interfaces are exposed and AtHome can pressure their peers into adding CAR. The other is the default gateway of AtHome subscribers, and these interfaces can be protected w/ CAR anywhere along the data path where it is most convenient. - Jeffrey --- Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ> wrote:
On Wed, 9 Feb 2000, Rasmus Andersson wrote:It's perfectly legal (and in many ways good) to use those addresses on link networks, and filtering out ALL traffic from such addresses is a therefore a Bad Idea(tm). In particular, you MUST let ICMP Unreachable - Fragmentation Needed through to not damage path-MTU discovery. IMHO you should let any ICMP Unreachables through as well as Time Exceeded.I might have a very good reason not to allow any RFC-1918-address originated datagrams from outside: I might be using these addresses myself in my internal network. Why should I allow anyone to spoof internal traffic of any kind? IMHO, it is a Bad Idea(tm) to allow a PRIVATE address to appear in a PUBLIC network! And people who do it are messing things up themselves. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
===== Yahoo Network Operations work: 408-616-3897 page: 408-619-0572 cell: 650-580-2684 email: jeffrey () papen com __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 08)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)
- Re: Private networks and home.{net|com} Pavel Kankovsky (Feb 10)
- <Possible follow-ups>
- Re: Private networks and home.{net|com} Andersson, Rasmus (Feb 08)
- Re: Private networks and home.{net|com} Marc Slemko (Feb 09)
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 09)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)