nanog mailing list archives
Re: Ingress filtering on transits, peers, and IX ports
From: Eric Kuhnke <eric.kuhnke () gmail com>
Date: Tue, 13 Oct 2020 18:49:54 -0700
Aside from the BCPs currently being discussed for ingress filtering, I would be very interested in seeing what this traffic looked like from the perspective of your DNS servers' logs. I assume you're talking about customer facing recursive/caching resolvers, and not authoritative-only nameservers. Considering that one can run an instance of an anycasted recursive nameserver, under heavy load for a very large number of clients, on a $600 1U server these days... I wonder what exactly the threat model is. Reverse amplification of DNS traffic returning to the spoofed IPs for DoS purposes, such as to cause the nameserver to DoS a single /32 endpoint IP being targeted, as in common online gaming disputes? What volume of pps or Mbps would appear as spurious traffic as a result of this attack? On Tue, Oct 13, 2020 at 3:14 PM Brian Knight via NANOG <nanog () nanog org> wrote:
We recently received an email notice from a group of security researchers who are looking at the feasibility of attacks using spoofed traffic. Their methodology, in broad strokes, was to send traffic to our DNS servers with a source IP that looked like it came from our network. Their attacks were successful, and they included a summary of what they found. So this message has started an internal conversation on what traffic we should be filtering and how. This security test was not about BCP 38 for ingress traffic from our customers, nor was it about BGP ingress filtering. This tested our ingress filtering from the rest of the Internet. It seems to me like we should be filtering traffic with spoofed IPs on our transit, IX, and peering links. I have done this filtering in the enterprise world extensively, and it's very helpful to keep out bad traffic. BCP 84 also discusses ingress filtering for SP's briefly and seems to advocate for it. We have about 15 IP blocks allocated to us. With a network as small as ours, I chose to go with a static ACL approach to start the conversation. I crafted a static ACL, blocking all ingress traffic sourced from any of our assigned IP ranges. I made sure to include: * Permit entries for P-t-P WAN subnets on peering links * Permit entries for IP assignments to customers running multi-homed BGP * The "permit ipv4 any any" at the end :) The questions I wanted to ask the SP community are: * What traffic filtering do you do on your transits, on IX ports, and your direct peering links? * How is it accomplished? Through static ACL or some flavor of uRPF? * If you use static ACLs, what is the administrative overhead like? What makes it easy or difficult to update? * How did you test your filters when they were implemented? Thanks a lot, -Brian
Current thread:
- Re: Ingress filtering on transits, peers, and IX ports, (continued)
- Re: Ingress filtering on transits, peers, and IX ports Randy Bush (Oct 19)
- Re: Ingress filtering on transits, peers, and IX ports Baldur Norddahl (Oct 20)
- Re: Ingress filtering on transits, peers, and IX ports Brian Knight via NANOG (Oct 22)
- RE: Ingress filtering on transits, peers, and IX ports adamv0025 (Oct 23)
- Re: Ingress filtering on transits, peers, and IX ports Tim Durack (Oct 20)
- Re: Ingress filtering on transits, peers, and IX ports Marcos Manoni (Oct 20)
- Re: Ingress filtering on transits, peers, and IX ports Dobbins, Roland (Oct 20)
- Re: Ingress filtering on transits, peers, and IX ports Nick Hilliard (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Mike Hammett (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Jared Mauch (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Chris Adams (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Eric Kuhnke (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Seth Mattinen (Oct 13)
- Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Mark Andrews (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Bryan Holloway (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Casey Deccio (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Mel Beckman (Oct 14)
- Re: Ingress filtering on transits, peers, and IX ports Eric Kuhnke (Oct 14)