Home page logo
/

nanog logo nanog mailing list archives

Re: Network Operators and smurf
From: Robert Sanders <rsanders () mindspring net>
Date: Fri, 24 Apr 1998 19:09:39 -0400


There isn't a simple knob, but then it isn't simple to know what a forgery
is. You to have tell the router. 

That's what routing protocols are for, right? :-)  I thought I had read on
cisco-nsp that 11.1CC implemented the long-discussed feature of not
accepting packets from an interface unless the router held a route for the
source address of that packet back out that interface, but I can't find
that message now.  I wonder what that does to forwarding rates on VIP2s and
12000s.

Or, another perhaps better way is to only accept packets from your customer
networks which are sourced from those networks.  Each customer interface
then has an inbound filter the blocks everything not sourced from your
customers network.

As I told Jay, we have modified our RADIUS server to do exactly this on the
fly for 3com NETservers, 3com HiPer ARCs, and Bay 5399/8000s (and probably
any other Annexish box with RADIUS support).  This is great until you
accept routing information from one of your downstreams.  One might argue
that you shouldn't peer (or listen to RIP or OSPF) from a network that'll
carry spoofed packets, but I don't think that's practicable for the
Internet of today.  Not all the equipment is capable, not all the operators
are clueful, and there aren't enough incentives to change that overnight.

I won't even touch the issue of "legitimate spoofing" which rears its ugly
head in the telco return satellite and cable modem scenarios.  Strict
asymmetry does make things more complicated.

regards,
  -- Robert




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]