North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Ping flooding
- From: Vadim Antonov
- Date: Thu Jul 11 16:07:43 1996
>> That's once again a matter of defaults -- routers should _by
>> default_ discard all packets from interfaces which they won't
>> use for forwarding those packets back.
>This is a sweeping statement.
Note that _by default_ implies that there's a way to override it.
Now, in practically all LANs and corporate networks paths are
symmetrical unless something is misconfigured. Forceful prevention
of asymmetrical paths is the Good Thing, then -- that allows to
identify problems before something crashes.
All single-homed customers of ISPs also have tail-link part of their
paths symmetrical; and forced rejection of wrong source addresses
brings no harm and allows to prevent a lot of damage caused by
malicious attacks or simply misconfigured machines.
Backbones use asymmetrical routing a lot, they also have a skilled
personnel (well, usually) who would know how to disable the
backward-path checks when necessary.
> 1. Prevention of IP spoofing.
> 2. Prevention of asymmetric routing.
Not. Backbones have to have asymmetry, in general case, if you
want to compress routing information.
> 3. Better TCP windowing and better performance when all
> packets follow the same path.
Not really. TCP mostly cares about round-trip, not timing
of forward and backward paths.
>However, are the benefits worth the overhead?
That's not significant, as such filtering is done at tail-link
routers, which are not overloaded (generally).
>What are the
>effects on network redundancy?
Does limiting ability to do hard-to-trace denial of service attacks
count as improving network redundancy?
>What other issues am I overlooking?
Inertia. Even obviously Good Things like doing persistent static
routing by default aren't getting deployed, although the current
cisco's default of "floating" static routes is the #1 contributor
to route flap. Does any major ISP override the default by adding
"backup" routes to Null0 in a systematic way? I think not.
In the same vein, how many people don't forget to add "no ip proxy-arp"
to their interface definitions? I know quite a few who were bitten by
forgetting about that default. Or take interfaces being active (and
listening!) to routing updates by default, or silly recommendations
in manuals, or ... (you continue, the list is nearly endless).
The Rules of Safe (and Reliable) Networking are:
1) Disable All Features You Don't Need.
2) Don't Do Any Dynamic Routing Where Only One Path Exists.
3) Do Not Allow Packets To Go To Where They Are Not Supposed To Go
To And Come From Where They Aren't Supposed To Come From.
(The short form of that maxim is "Filter!".)
4) Don't Accept Suspicious Routes And Watch What You're
Announcing. (The short form of that maxim is also "Filter!").
6) Don't Trust Anyone.
Unfortunately the feature-happy router vendors do everything to
make following those rules very hard by enabling virtually everything
by default and so encouraging users to shoot themselves in the feet.
I.e. to _disable_ stuff you need to be an expert and know what it
does! Most simply don't bother.
- - - - - - - - - - - - - - - - -