Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN spoofing

  • From: batz
  • Date: Wed Jul 28 15:23:45 1999

On Wed, 28 Jul 1999, Joe Shaw wrote:

:Any provider who allows the passing of address space that isn't his own
:(beyond whatever transit they may provide to their peers) is shameful.  
:
:How hard is it really to put a filter on your outbound links that says
:drop all ip traffic heading out these links that isn't from my IP space?
:It's just like martian filters for your inbound links, and we'd see a
:significant decrease in spoofing based attacks if it was more widely
:adopted.  Not to mention it'll keep peers from dumping traffic on you.


As far as I can tell, if the RST packets are hitting their firewall, 
it isn't just a case of filtering packets with a dst of an rfc1918
addr. 

If someone is spoofing a scan from 10/8, and the responses are hitting
an interface on a firewall, that means that there is a route for 10/8
somewhere in that AS pointing to that firewall, which also means that 
someone is allowing their customers to leak that route to them. 

This is much worse problem than simply not filtering individual packets. 
I think that most of the net knows not to announce rfc1918 addrs via
bgp, it just seems that some providers are allowing these routes to 
pollute their IGP which, depending on the size of the AS, is just 
as bad. 

--
batz
Chief Reverse Engineer 
Superficial Intelligence Research Division
Defective Technologies







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.