Vulnerability Development mailing list archives
Re: Automatic antispoofing rules on access servers.
From: Ryan Permeh <Ryan () EEYE COM>
Date: Wed, 20 Sep 2000 10:37:14 -0700
this is an interesting addition to cisco's ios. i commend them for adding this. Two questions, what level of ios does this feature require, and has anyone done any testing against any implementation of this to make certain it does what it says? Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () pop jaring my> To: "Ryan Permeh" <Ryan () EEYE COM>; <VULN-DEV () SECURITYFOCUS COM> Sent: Tuesday, September 19, 2000 11:48 PM Subject: Re: Automatic antispoofing rules on access servers.
The difference is, with this feature, you should not have to do as much reconfiguration if your netblocks change. That's what I'm talking about - lowering the administration costs for installing such rules at the access points. Check out the url. You'll see that you don't have to write the rules by hand. Use the same statements for every router. By putting the rules at the access servers, ISP can stop customers from spoofing others within their networks. Btw I'm not trying to promote Cisco here. In fact I was actually about to post asking if any router manufacturer had done such a thing - uniform config parameter(s) to do antispoofing on tons of different routers and interfaces. And then I found something like it on Cisco's site, and now I'm wondering if ISPs actually know about it and are using it. I was thinking "why hasn't anybody done this", and then "Oh they have!"
:).
Cheerio, Link. At 10:41 AM 19-09-2000 -0700, Ryan Permeh wrote:although this is a neat idea, placing antispoofing rules on your border acheives thew same level of protection at a much lower administrative
cost.
i used to work at an isp, and puting together possibly thousands antispoofing rules by hand in an understaffed, undertechnical environment
is
a hard thing to do. Especcially in the isp aquisition climate where your netblocks may not be the same for a while. If we got people to shut off broadcasts(at least icmp, if not all) and spoofing at the borders it
would
help a whole lot. PS: this doesn't just apply to isp's. there are schools and buisnesses
that
are just as guilty (and sometimes have just as big networks). Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () POP JARING MY> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Monday, September 18, 2000 7:50 PM Subject: Automatic antispoofing rules on access servers.I believe antispoofing filters won't really use up much CPU. So
probably
one of the main reasons ISPs don't use them at their access servers is
the
administrative cost in maintaining the rules. However I recently noticed that Cisco has a feature which seems to make this simpler to do.http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/12
1
t/121t2/rpf_plus.htm Do other major router/access server manufacturers have similar
features?
If such features were more widely used, smurfing and spoofing stuff
would
be a lot more difficult than it is now. Are there any problems which would discourage use by ISPs? Cheerio, Link.
Current thread:
- Cisco CDP attacks FX, Phenoelit (Sep 18)
- Automatic antispoofing rules on access servers. Lincoln Yeoh (Sep 19)
- Re: Automatic antispoofing rules on access servers. Ryan Permeh (Sep 19)
- Re: Automatic antispoofing rules on access servers. Lincoln Yeoh (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ryan Permeh (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ryan Permeh (Sep 19)
- Automatic antispoofing rules on access servers. Lincoln Yeoh (Sep 19)