Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco says attacks are due to operational practices

  • From: John M. Brown
  • Date: Thu Feb 10 21:30:40 2000

I am not doing this on backbone routers.  I am doing this on edge routers.  Outside
world, nor our customers really need to goto say port 19 (chargen), or say 7 (echo)
etc.

And, yes there is disclosure to our customers on this.

Again, we don't do this on our core, we do it on our EDGE, at no point did I 
say core.

Filtering against spoofed IP is a good thing


On Thu, Feb 10, 2000 at 06:13:56PM -0800, Chris Cappuccio wrote:
> Filtering incoming our outgoing ports for anybody's network but your own (not
> your customer's) is wrong.  You know specifically what apps you are running.  
> How can you know what your customer is running or what they want to do ?
> 
> If the customer is aware this is happening or even requests this type of
> firewall service, that's great.  But to filter ports on backbone routers is
> stupid.
> 
> On Thu, 10 Feb 2000, John M. Brown wrote:
> 
>  | 
>  | We have always built martian filters on our edge routers.  In addition we
>  | built specific filters for ports that are not used, or are bad on the net.
>  | 
>  | No matter what the customers router is doing, ours will drop 1918 and other
>  | IP blocks, and ports.
>  | 
>  | This can be automated and can be deployed over a reasonable period of time.
>  | Most MAJOR backbone providers do not do this, wish they would
>  | 
>  | jmbrown
>  | 
>  | 
>  | On Thu, Feb 10, 2000 at 06:48:06PM -0700, Tom Beeson wrote:
>  | > 
>  | > At 02:29 PM 2/10/00 -0800, Sean Donelan wrote:
>  | > 
>  | > >In an InteractiveWeek article the head of Cisco's security products group
>  | > >says the attacks are an operational problem not a technical problem.
>  | > >
>  | > > >Routers from Cisco and other vendors have the ability to detect the 
>  | > > signature
>  | > > >patterns of a denial-of-service attack, and the routers can filter out that
>  | > > >traffic, Farnsworth said.
>  | > > >
>  | > > >"The router knows which sources are legitimate or not and drops on the floor
>  | > > >anything suspicious," Farnsworth said. "Generally speaking, ingress 
>  | > > filtering
>  | > > >and committed rates are effective in terms of preventing [malicious] traffic
>  | > > >from ever showing up, or filtering it to a reasonable rate."
>  | > 
>  | > I would agree with Farnsworth.  Cisco routers do have some of the richest 
>  | > filtering mechanisms available.  Though the configuration is best done at 
>  | > the edge routers (not on any core backbone).  Considering the huge number 
>  | > of end sites out there, this is labor intensive.  If you were a medium or 
>  | > large ISP that had 250+ end sites behind you, then you would have to go out 
>  | > and reprogram over 250+ routers.  Placing the same changes on the core 
>  | > routers is impractical since it would be very CPU and Memory intensive and 
>  | > just as big a pain to administer.  We made a decision over a year ago to 
>  | > start making changes on as many of our customer end sites as possible.
>  | > 
>  | > We wrote an in-house perl script to take a Cisco router configuration and 
>  | > build inbound and outbound filters.  These filters are then applied to the 
>  | > serial interface that connects to our network and toward the Internet.  The 
>  | > inbound filter prevents outsiders from spoofing a LAN IP address aimed at 
>  | > that specific site.  The outbound filter prevents someone on the LAN from 
>  | > sending spoofed packets (bogus source IP addresses) from getting to the 
>  | > Internet.  Our script also adds the "no IP directed-broadcast", "no service 
>  | > udp-small-servers", and "no service tcp-small-servers" commands.  We also 
>  | > add restricted telnet access and other security related commands.  The 
>  | > suggested modifications are written to a text file and can be further 
>  | > edited and TFTP'd to the router at the discretion of the engineer.
>  | > 
>  | > We routinely manage a large majority our customer's routers.  For our 
>  | > customers who manage their own routers, we urge them to add these filets 
>  | > and work to make them aware of any security changes they should 
>  | > make.  Education of the customer becomes key to stopping spoofed packets 
>  | > from leaving your network.  :-)
>  | > 
>  | > We turned on logging on a few sites where we suspected some suspicious 
>  | > activity and actually logged a number of spoofed packets that were caught 
>  | > in the anti-spoofing filters.  The bad news is that we have not caught the 
>  | > actual persons sending out the spoofed packets.  We suspect that these guys 
>  | > may have moved on somewhere else.  If you are willing to commit the 
>  | > resources and time setting anti-spoofing filters on all your end site 
>  | > routers, it is a very worthwhile thing.
>  | > 
>  | > 
>  | > -- Tom Beeson
>  | > 
>  | > My 2 cents worth. Views are my own and not necessarily that of the company 
>  | > for which I work.
>  | > 
>  | > --**--**--**--**--**--**--**--**--**--**--**--
>  | > Tom Beeson		Oso Grande Technologies
>  | > Network Engineer 	A New Mexico Technet Co.
>  | > (505) 345-1748
>  | > noc@nm.net
>  | > --**--**--**--**--**--**--**--**--**--**--**--
>  | > 
>  | > 
>  | 
>  | 
> 
> ---
> Gates' Law: Every 18 months, the speed of software halves.
> 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.