Re: SYN floods (was: does history repeat itself?)

[Alexis Rosen <alexis () panix com>]

Alex.Bligh writes:
> "Justin W. Newton" <justin () erols com> wrote:
> > At 09:08 PM 9/9/96 -0400, Avi Freedman wrote:
> > > This is *exactly* the right thing to do; every provider which does
> > > not provide complicated transit (which excludes even certain regionals,
> > > alas) should do this at their borders if they don't do it at each customer
> > > connect.
> > >
> > > And everyone should at least filter on each customer 56k/t1/etc...
> > > I know router cycles are tight but it might *really* become
> > > imperative...
> >
> > Am I missing something....
> >
> > If I am announcing a network via BGP I am more or less agreeing to carry
> > traffic for it.  If I am not I am not.  Therefore, if I filter based on my
> > outbound BGP announcements and do not allow any packets which have a source
> > address not originating from a network in my BGP announcements then I
> > should not be causing any harm to the networks which I am providing
> > connectivity to.  This has the added benefit of stopping people from
> > defaulting into me at exchange points as I will not carry that traffic
> > across my backbone.  I'd love to hear the holes in this theory.
> I think you are talking about filtering inbound packets to your
> router and restricting them to BGP announcements (I don't
> think Avi was - see below). This would be done on the destination
> address (checking it was within your announced route set) and
> thus doesn't help protect against spoofed source addresses.

No, Justin's talking about filtering _customers'_ packets at Justin's
border with the customer. No BGP involved. This assumes customers that
are not providers (ie, no transit for other nets through the customer).
Good enough if all providers do the right thing (or if almost all do).

What Justin meant about his BGP announcements was that a customer's
packet is legal IFF Justin's announcing that packet's net by BGP (on
_behalf_ of the customer, not _to_ the customer). Again, customer means
a site that's not a BGP peer.


> I
> *think* what Avi was talking about was filtering outbound packets
> by source address and checking these are within announced routes.

Taht was one thing Avi mentioned (he showed access lists for that). But
he was also talking about the stuff Justin did, which was his (and my)
main point.

> This has additional problems to those listed below where, for
> instance, there are deliberately asymmetrical announcements.
>
> Here's some complications with both schemes. Suppose you [...]

Yes, all these schemes fail between peers. The point is that they protect
against rogue customers. If an attack happens anyway, we discover the
provider that has failed to guard against it's own customers' malfeasance,
and we shun that provider. That'll bring it around fast enough, once most
providers are doing the Right Thing.

/a
- - - - - - - - - - - - - - - - -