Home page logo

nanog logo nanog mailing list archives

Re: Network Operators and smurf
From: Karl Denninger <karl () mcs net>
Date: Fri, 24 Apr 1998 17:59:29 -0500

On Fri, Apr 24, 1998 at 06:39:28PM -0400, Dean Anderson wrote:
At 5:53 PM -0400 4/24/98, Jay R. Ashworth wrote:

It's been my understanding that the knobs are in fact _not_ there,
Dean, but I'd be happy to be proven wrong.

There isn't a simple knob, but then it isn't simple to know what a forgery
is. You to have tell the router.  The router doesn't know what you and
other people "own", but you can tell it.  I'd say there isn't a way to make
a simple on/off knob for that, because there isn't any way to tell who you
will transit for and who you won't.

On your outbound interface(s):

access-list 101 permit ip <yournet-1> any out
access-list 101 permit ip <yournet-2> any out
access-list 101 deny ip any any out

This allows only packets sourced from your networks to be sent.

Or, another perhaps better way is to only accept packets from your customer
networks which are sourced from those networks.  Each customer interface
then has an inbound filter the blocks everything not sourced from your
customers network.


Well, there is a simple knob for this:

If the Knob is turned "ON", then any packet from a source address which is 
not routed to the interface it came in on is dropped.

This works for static, dynamic, and all other kinds of routing.    It will
solve the problem and is trivial to implement - if any of the vendors care.

Karl Denninger (karl () MCS Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly / All Lines K56Flex/DOV
                             | NEW! Corporate ISDN Prices dropped by up to 50%!
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]