North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: no ip forged-source-address
- From: H. Michael Smith, Jr.
- Date: Wed Oct 30 18:01:48 2002
A fundamental effect of spoofing addresses from your local subnet is
that when the packets reach their target, the source addresses are
meaningful. I realize that the traceability of these packets has
already been mentioned, but I want to point out the profound difference
between a DDoS attack with meaningful vs. meaningless source addresses.
From: firstname.lastname@example.org [mailto:email@example.com] On Behalf Of
Sent: Wednesday, October 30, 2002 2:27 PM
Subject: Re: no ip forged-source-address
On Wed, 30 Oct 2002 firstname.lastname@example.org wrote:
If every router in the world did this I could still use spoofed IP
addresses and DDOS someone. My little program could determine what
I am on, check what other hosts are alive on the subnet and then when it
decides to attack, it would use some neighbor's IP. The subnet I am on
a /24 and there very well may be a few dozen hosts. I could be real
sneaky and alter my IP randomly to be any of my neighbors for every
I send out.
Traceback would get me instantly back to the offending subnet but then
would take a bit of digging on the network admin to track me down and
applying RPF checking won't help.
RPF checking can only go so far. You would need RPF checking down to
host level and I haven't heard anyone discuss that yet.
> I've been following the discussion on DDoS attacks over the last few
> and our network has also recently been the target of a sustained DDoS
> attack.I'm not alone in believing that source address filters are the
> simplest way to prevent the types of DDoS traffic that we have all
> seeing with increasing regularity.Reading the comments on this list
> lead me to believe that there is a lot of inertia involved in applying
> what appears to me as very simple filters.
> As with the smurf attacks a few years ago, best practice documents and
> RFC's don't appear to be effective.I realise that configuring and
> applying a source address filter is trivial, but not enough network
> seem to be taking the time to lock this down.If the equipment had
> sensible defaults (with the option to bypass them if required), then
> perhaps this would be less of an issue.
> Therefore, would it be a reasonable suggestion to ask router vendors
> source address filtering in as an option on the interface and then
> it to being the default setting after a period of time?This
> to have some success with reducing the number of networks that
> broadcast packets (as with "no ip directed-broadcast").
> Just my $0.02,
> Richard Morrell
>  For example, an IOS config might be:
> interface fastethernet 1/0
> no ip forged-source-address
>  Network admins would still have the option of turning it off, but
> would have to be explicitly configured.