Firewall Wizards mailing list archives

Re: Recent Attacks

From: Bennett Todd <bet () rahul net>
Date: Wed, 16 Feb 2000 12:56:22 -0500

I may be a cad and a barbarian, but I'm less concerned with
identifying who's doing it, and more concerned with making the
attacks harder to mount, and easier to stop.

I very strongly believe that one step will do a great deal to reduce
the severity of this problem (e.g., it would essentially stop the
current tools, and make any replacements far, far less effective),
and that's to make ingress filtering universal.

While route-based packet filtering, to toss forged source addrs, is
very hard if not impossible once the packet enters the core routers,
when it's passing through the border router, the router that has a
simple static route for the LAN the packet originated on, the
filtering is trivial to implement. Some routers (e.g. Linux) can be
switched to do it automatically, with no configuration changes
necessary as the routing environment changes. I expect that will be
a required feature in routers very quickly, and not long after that
we'll start seeing blacklists, to help you block nets that don't do
ingress filtering right at your routers.

Allowing forged source addrs in and out of your nets is bad hygiene.

And if DDoS attacks couldn't used forged source addrs, they couldn't
use smurf to amplify their effects, and they couldn't be reused at
all; the moment a victim starts capturing packets, they'd have the
source addrs of all the machines in the attackers DDoS net --- and
building those nets remains the relatively hard prep work for
mounting one of these attacks. If we had universal ingress
filtering, the moment someone started launching one of these the
victim could start contacting the compromised sites, and if they
refused to address their problem they could request that the streams
by blocked by the compromised sites' providers.

Right now, only some nets nets have ingress filtering --- those
run by competant and knowlegeable networks admins who care about
security. But I think it will not be long before running without
ingress filtering is as unacceptable --- and gets you blacklisted as
hard and fast --- as running an open relay email server.

-Bennett

Attachment: _bin
Description:

Current thread:

Re: Recent Attacks, (continued)
- Re: Recent Attacks Ryan Russell (Feb 15)
- Message not available
  - Re: Recent Attacks Marcus J. Ranum (Feb 15)
    - Re: Recent Attacks Ryan Russell (Feb 15)
    - Re: Recent Attacks Philip J. Koenig (Feb 16)
    - Re: Recent Attacks Ryan Russell (Feb 17)
    - Re: Recent Attacks David A. Wagner (Feb 21)
    - Message not available
    - Re: Recent Attacks Marcus J. Ranum (Feb 17)
    - Re: Recent Attacks Ryan Russell (Feb 18)
    - Re: Recent Attacks Terry Lee Moore (Feb 15)
    - Re: Recent Attacks Marcus J. Ranum (Feb 16)
    - Re: Recent Attacks Bennett Todd (Feb 16)
    - Re: Recent Attacks Philip J. Koenig (Feb 17)
    - Re: Recent Attacks Reverend Chris Cappuccio (Feb 17)
    - Re: Recent Attacks Ge' Weijers (Feb 19)
    - Re: Recent Attacks Malcolm Holser (Feb 17)
    - Re: Recent Attacks Brad Van Orden (Feb 17)
    - Re: Recent Attacks Philip J. Koenig (Feb 17)
    - Message not available
    - Re: Recent Attacks David LeBlanc (Feb 17)
    - Re: Recent Attacks Philip J. Koenig (Feb 17)
    - Re: Recent Attacks Ryan Russell (Feb 19)
    - Message not available
    - Re: Recent Attacks David LeBlanc (Feb 19)

(Thread continues...)