Home page logo

bugtraq logo Bugtraq mailing list archives

Re: DDOS Attack Mitigation
From: MatthewS () STAFF BRUNNET NET (Stainforth, Matthew)
Date: Wed, 16 Feb 2000 08:34:53 -0400

It might be of some benefit to note that 3Com's newer Total Control router
cards (HiPerARCs) have this feature built in with the command enabLE ip
sourCE_ADDRESS_FILTER.  This does, however, break the functionality of
routing subnets to dial customers.  And it doesn't put significant load on
the router cards themselves since they've been over-engineered as far as I
can tell.  So there is at least one vendor stepping in the right direction.

-----Original Message-----
From: Homer Wilson Smith [mailto:homer () LIGHTLINK COM]
Sent: Monday, February 14, 2000 4:16 PM
Subject: Re: DDOS Attack Mitigation

    Ingress/egress filters can be problematic, its not just a
problem.  With upstream providers being real harsh on handing out IP
ranges, and insisting that every IP subnet be used regardless
of how many
criss cross routes we have to put in our many routers to do
it, the access
lists also become complicated and prone to error.

    One can be unforgiving and say "So what, its the ISP's
job to do it
right." but many ISP's opt to keep it simple. For example presently we
have filters on our border routers, but not our inner routers
which have
complex criss cross routing tables as we send subnets in every which
direction.  Thus presumably our customers can spoof each
other, but not
the external world.

    If it gets out of hand we will take the next step.

    Of course you are right though, much of the way to keep
people from
coming in and doing damage is for everyone to make sure their
can't get out and do damage.  This is really the only
workable model for
stopping spam, you stop it going out, as stopping it from coming in is


Homer Wilson Smith   Clear Air, Clear Water,  Art Matrix - Lightlink
(607) 277-0959       A Green Earth and Peace. Internet
Access, Ithaca NY
homer () lightlink com  Is that too much to ask? http://www.lightlink.com

On Sun, 13 Feb 2000, Darren Reed wrote:

In some mail from Elias Levy, sie said:
Network Ingress Filtering:

All network access providers should implement network
ingress filtering
to stop any of their downstream networks from injecting
packets with
faked or "spoofed" addressed into the Internet.

Although this does not stop an attack from occurring it
does make it
much easier to track down the source of the attack and
terminate it

For information on network ingress filtering read RFC 2267:

You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons".  They've had the ability to do it for
years and in doing so would seriously reduce the number and
of "spoofing" attacks.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]