nanog mailing list archives
Re: ACLs / Filter Lists - Best Practices
From: Adrian Chadd <adrian () creative net au>
Date: Fri, 30 Nov 2001 15:51:16 +0800
On Fri, Nov 30, 2001, Andreas Plesner Jacobsen wrote:
On Fri, Nov 30, 2001 at 01:39:24AM -0500, Tim Irwin wrote:- <rant>RFC 1918 filtering is no silver bullet. Yes, it should be done, but all a malicious person needs in order to be able to launch an effective DDoS attack is to source from unassigned address space or address space that is known to be unused.</rant>And that's why we all need to employ things like CEF reverse path verification at our customer edge.
Strangely enough, DoS attacks these days may not be caught by reverse-path filtering. Think hundreds of exploited modem, DSL and cable machines (be it windows, linux, solaris, whatever..) Think each machine sitting on an irc network, whether it be a public one (Efnet, Undernet, Dalnet, etc) or a private one. Think each machine sending a valid stream of say, 5 packets a second (each a few hundred bytes) to some host that someone in the relevant IRC channel commands. Oops. DoS. Traceable (which is nice), but not easily stopped since the traffic, for all intents and purposes, is valid. RFC1918 filtering won't stop this. reverse-path filtering won't do this. subscriber-edge spoof filtering won't even catch this. And before someone jumps up and says "theoretical!", I'm sure a few NANOGers who double as occasional IRC server admins can possibly attest to strangely named channels with hundreds of idling clients sitting in them.. :-) Personally I think that subscriber-edge filtering should be the primary thing (come on guys, how many clients use satellite download schemes which require IP spoofing for outbound packets via a modem?), since most times an _end customer_ (and I'd kick-start the end-customer defintion as one who doesn't speak BGP) needs to spoof source IPs for a service, their service provider should be using an IP-IP encaps protocol. And, if reverse-path filtering starts becoming widespread, these people requiring source IP spoofing may also find themselves lost. 2c, Adrian -- Adrian Chadd "Auntie Em, Hate you. Hate Kansas. <adrian () creative net au> Taking the dog." -- Dorothy
Current thread:
- ACLs / Filter Lists - Best Practices John McBrayne (Nov 27)
- Re: ACLs / Filter Lists - Best Practices Scott Francis (Nov 27)
- Re: ACLs / Filter Lists - Best Practices E.B. Dreger (Nov 27)
- Re: ACLs / Filter Lists - Best Practices Christopher L. Morrow (Nov 27)
- RE: ACLs / Filter Lists - Best Practices Barry Raveendran Greene (Nov 28)
- Re: ACLs / Filter Lists - Best Practices Geoff Zinderdine (Nov 28)
- Re: ACLs / Filter Lists - Best Practices Nicolas FISCHBACH (Nov 28)
- RE: ACLs / Filter Lists - Best Practices Tim Irwin (Nov 29)
- Re: ACLs / Filter Lists - Best Practices Andreas Plesner Jacobsen (Nov 29)
- Re: ACLs / Filter Lists - Best Practices Adrian Chadd (Nov 29)
- Re: ACLs / Filter Lists - Best Practices Rob Thomas (Nov 30)
- Re: ACLs / Filter Lists - Best Practices Andreas Plesner Jacobsen (Nov 29)
- RE: ACLs / Filter Lists - Best Practices Rob Thomas (Nov 30)
- <Possible follow-ups>
- RE: ACLs / Filter Lists - Best Practices Irwin Lazar (Nov 28)