Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ACLs / Filter Lists - Best Practices

  • From: Adrian Chadd
  • Date: Fri Nov 30 02:53:56 2001

On Fri, Nov 30, 2001, Andreas Plesner Jacobsen wrote:
> 
> On Fri, Nov 30, 2001 at 01:39:24AM -0500, Tim Irwin wrote:
> > 
> > - <rant>RFC 1918 filtering is no silver bullet.  Yes, it should be done, but
> > all a malicious person needs in order to be able to launch an effective DDoS
> > attack is to source from unassigned address space or address space that is
> > known to be unused.</rant>
> 
> And that's why we all need to employ things like CEF reverse path
> verification at our customer edge.

Strangely enough, DoS attacks these days may not be caught by
reverse-path filtering.

Think hundreds of exploited modem, DSL and cable machines (be it
windows, linux, solaris, whatever..)

Think each machine sitting on an irc network, whether it be a public
one (Efnet, Undernet, Dalnet, etc) or a private one.

Think each machine sending a valid stream of say, 5 packets a second
(each a few hundred bytes) to some host that someone in the relevant
IRC channel commands.

Oops. DoS. Traceable (which is nice), but not easily stopped
since the traffic, for all intents and purposes, is valid.

RFC1918 filtering won't stop this. reverse-path filtering won't
do this. subscriber-edge spoof filtering won't even catch this.

And before someone jumps up and says "theoretical!", I'm sure a few
NANOGers who double as occasional IRC server admins can possibly
attest to strangely named channels with hundreds of idling
clients sitting in them.. :-)

Personally I think that subscriber-edge filtering should be the primary
thing (come on guys, how many clients use satellite download schemes
which require IP spoofing for outbound packets via a modem?), since
most times an _end customer_ (and I'd kick-start the end-customer defintion
as one who doesn't speak BGP) needs to spoof source IPs for a service,
their service provider should be using an IP-IP encaps protocol.
And, if reverse-path filtering starts becoming widespread, these people
requiring source IP spoofing may also find themselves lost.

2c,



Adrian

-- 
Adrian Chadd			"Auntie Em, Hate you. Hate Kansas.
<adrian@creative.net.au>	  Taking the dog."
				    -- Dorothy




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.