Re: no ip forged-source-address

[Daniel Senie <dts () senie com>]

At 10:44 AM 10/30/2002, variable () ednet co uk wrote:

> Hi,
>
> I've been following the discussion on DDoS attacks over the last few weeks
> and our network has also recently been the target of a sustained DDoS
> attack.  I'm not alone in believing that source address filters are the
> simplest way to prevent the types of DDoS traffic that we have all been
> seeing with increasing regularity.  Reading the comments on this list have
> lead me to believe that there is a lot of inertia involved in applying
> what appears to me as very simple filters.
>
> As with the smurf attacks a few years ago, best practice documents and
> RFC's don't appear to be effective.

BCP 38 is quite explicit in the need for all networks to do their part. The 
document is quite effective provided there's cooperation.

>  I realise that configuring and
> applying a source address filter is trivial, but not enough network admins
> seem to be taking the time to lock this down.  If the equipment had
> sensible defaults (with the option to bypass them if required), then
> perhaps this would be less of an issue.
>
> Therefore, would it be a reasonable suggestion to ask router vendors to
> source address filtering in as an option[1] on the interface and then move
> it to being the default setting[2] after a period of time?  This appeared
> to have some success with reducing the number of networks that forwarded
> broadcast packets (as with "no ip directed-broadcast").

So you're suggesting the router vendors provide default configurations 
which the ISPs will overwrite with their current configurations anyway? 
Which interface would you filter on? If we're talking about a router at the 
customer premesis, the filters should be on the link to the ISP (the 
customer may well have more subnets internally). At the ISP end, doing the 
filtering you suggest would not work, since it'd permit only the IP 
addresses of the link between the customer and user.

For dialups, such filtering can and should be done, and should be automatic 
in the NAS boxes.

But the #1 question I have to ask you is, how are you going to have any 
more luck enforcing ingress filtering with what you propose, than what we 
have in the BCP on the subject?

If the government or other large buyers require network-wide ingress 
filtering in any supplier they buy from (something I suggested to the folks 
at eBay, Schwab, etc. in our phone calls after the attacks a few years 
ago), or if there were legal incentive, there might be a chance ISPs would 
find a financial motive to implement BCP 38. As it is, there's no 
incentive, so the path of least resistance is to do nothing.