It might be of some benefit to note that 3Com's newer Total Control router cards (HiPerARCs) have this feature built in with the command enabLE ip sourCE_ADDRESS_FILTER. This does, however, break the functionality of routing subnets to dial customers. And it doesn't put significant load on the router cards themselves since they've been over-engineered as far as I can tell. So there is at least one vendor stepping in the right direction. Matt... > -----Original Message----- > From: Homer Wilson Smith [mailto:homerat_private] > Sent: Monday, February 14, 2000 4:16 PM > To: BUGTRAQat_private > Subject: Re: DDOS Attack Mitigation > > > Ingress/egress filters can be problematic, its not just a > performance > problem. With upstream providers being real harsh on handing out IP > ranges, and insisting that every IP subnet be used regardless > of how many > criss cross routes we have to put in our many routers to do > it, the access > lists also become complicated and prone to error. > > One can be unforgiving and say "So what, its the ISP's > job to do it > right." but many ISP's opt to keep it simple. For example presently we > have filters on our border routers, but not our inner routers > which have > complex criss cross routing tables as we send subnets in every which > direction. Thus presumably our customers can spoof each > other, but not > the external world. > > If it gets out of hand we will take the next step. > > Of course you are right though, much of the way to keep > people from > coming in and doing damage is for everyone to make sure their > customers > can't get out and do damage. This is really the only > workable model for > stopping spam, you stop it going out, as stopping it from coming in is > hopeless. > > Homer > > -------------------------------------------------------------- > ---------- > Homer Wilson Smith Clear Air, Clear Water, Art Matrix - Lightlink > (607) 277-0959 A Green Earth and Peace. Internet > Access, Ithaca NY > homerat_private Is that too much to ask? http://www.lightlink.com > > On Sun, 13 Feb 2000, Darren Reed wrote: > > > In some mail from Elias Levy, sie said: > > [...] > > > Network Ingress Filtering: > > > -------------------------- > > > > > > All network access providers should implement network > ingress filtering > > > to stop any of their downstream networks from injecting > packets with > > > faked or "spoofed" addressed into the Internet. > > > > > > Although this does not stop an attack from occurring it > does make it > > > much easier to track down the source of the attack and > terminate it > > > quickly. > > > > > > For information on network ingress filtering read RFC 2267: > > > http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt > > > > You know if anyone was of a mind to find someone at fault over this, > > I'd start pointing the finger at ISP's who haven't been doing this > > due to "performance reasons". They've had the ability to do it for > > years and in doing so would seriously reduce the number and > possibility > > of "spoofing" attacks. > > > > Darren > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:30 PDT