nanog mailing list archives

Re: no ip forged-source-address

From: Hank Nussbacher <hank () att net il>
Date: Wed, 30 Oct 2002 21:26:30 +0200 (IST)


On Wed, 30 Oct 2002 variable () ednet co uk wrote:

If every router in the world did this I could still use spoofed IP
addresses and DDOS someone.  My little program could determine what subnet
I am on, check what other hosts are alive on the subnet and then when it
decides to attack, it would use some neighbor's IP.  The subnet I am on is
a /24 and there very well may be a few dozen hosts.  I could be real
sneaky and alter my IP randomly to be any of my neighbors for every packet
I send out.

Traceback would get me instantly back to the offending subnet but then it
would take a bit of digging on the network admin to track me down and
applying RPF checking won't help.

RPF checking can only go so far.  You would need RPF checking down to the
host level and I haven't heard anyone discuss that yet.

-Hank


Hi,

I've been following the discussion on DDoS attacks over the last few weeks
and our network has also recently been the target of a sustained DDoS
attack.I'm not alone in believing that source address filters are the
simplest way to prevent the types of DDoS traffic that we have all been
seeing with increasing regularity.Reading the comments on this list have
lead me to believe that there is a lot of inertia involved in applying
what appears to me as very simple filters.

As with the smurf attacks a few years ago, best practice documents and
RFC's don't appear to be effective.I realise that configuring and
applying a source address filter is trivial, but not enough network admins
seem to be taking the time to lock this down.If the equipment had
sensible defaults (with the option to bypass them if required), then
perhaps this would be less of an issue.

Therefore, would it be a reasonable suggestion to ask router vendors to
source address filtering in as an option[1] on the interface and then move
it to being the default setting[2] after a period of time?This appeared
to have some success with reducing the number of networks that forwarded
broadcast packets (as with "no ip directed-broadcast").

Just my $0.02,


Richard Morrell
edNET

[1] For example, an IOS config might be:

interface fastethernet 1/0
 no ip forged-source-address

[2] Network admins would still have the option of turning it off, but this
would have to be explicitly configured.

Current thread:

no ip forged-source-address variable (Oct 30)
- Re: no ip forged-source-address Jesper Skriver (Oct 30)
  - Re: no ip forged-source-address variable () ednet co uk (Oct 30)
    - Re: no ip forged-source-address Jesper Skriver (Oct 30)
- Re: no ip forged-source-address Lars Erik Gullerud (Oct 30)
  - Re: no ip forged-source-address Jared Mauch (Oct 30)
- Re: no ip forged-source-address Hank Nussbacher (Oct 30)
  - Re: no ip forged-source-address Barney Wolff (Oct 30)
  - Re: no ip forged-source-address Craig A. Huegen (Oct 30)
    - Re: no ip forged-source-address Jared Mauch (Oct 30)
  - Re: no ip forged-source-address Petri Helenius (Oct 30)
    - RE: no ip forged-source-address Tony Hain (Oct 30)
  - Re: no ip forged-source-address Jim Forster (Oct 30)
- Message not available
  - Re: no ip forged-source-address Daniel Senie (Oct 30)
- <Possible follow-ups>
- Re: no ip forged-source-address Daniel Senie (Oct 30)
  - Re: no ip forged-source-address variable () ednet co uk (Oct 30)
    - RE: no ip forged-source-address Tony Hain (Oct 30)

(Thread continues...)