RE: Recent Attacks

From: Troy Henley (tghat_private)
Date: Thu Feb 17 2000 - 07:14:19 PST

Next message: Frank L. Heidt: "Re: Recent Attacks"

Previous message: Bennett Todd: "Re: Recent Attacks"
Maybe in reply to: hndat_private: "Recent Attacks"
Next in thread: Frank L. Heidt: "Re: Recent Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry, I am a newby, could you describe what "smurf" is ?  I am guessing it
is a utility but I am not certain.  Thanks

-----Original Message-----
From: owner-firewall-wizardsat_private
[mailto:owner-firewall-wizardsat_private]On Behalf Of Bennett Todd
Sent: Wednesday, February 16, 2000 12:56 PM
To: Marcus J. Ranum
Cc: firewall-wizardsat_private
Subject: Re: Recent Attacks

I may be a cad and a barbarian, but I'm less concerned with
identifying who's doing it, and more concerned with making the
attacks harder to mount, and easier to stop.

I very strongly believe that one step will do a great deal to reduce
the severity of this problem (e.g., it would essentially stop the
current tools, and make any replacements far, far less effective),
and that's to make ingress filtering universal.

While route-based packet filtering, to toss forged source addrs, is
very hard if not impossible once the packet enters the core routers,
when it's passing through the border router, the router that has a
simple static route for the LAN the packet originated on, the
filtering is trivial to implement. Some routers (e.g. Linux) can be
switched to do it automatically, with no configuration changes
necessary as the routing environment changes. I expect that will be
a required feature in routers very quickly, and not long after that
we'll start seeing blacklists, to help you block nets that don't do
ingress filtering right at your routers.

Allowing forged source addrs in and out of your nets is bad hygiene.

And if DDoS attacks couldn't used forged source addrs, they couldn't
use smurf to amplify their effects, and they couldn't be reused at
all; the moment a victim starts capturing packets, they'd have the
source addrs of all the machines in the attackers DDoS net --- and
building those nets remains the relatively hard prep work for
mounting one of these attacks. If we had universal ingress
filtering, the moment someone started launching one of these the
victim could start contacting the compromised sites, and if they
refused to address their problem they could request that the streams
by blocked by the compromised sites' providers.

Right now, only some nets nets have ingress filtering --- those
run by competant and knowlegeable networks admins who care about
security. But I think it will not be long before running without
ingress filtering is as unacceptable --- and gets you blacklisted as
hard and fast --- as running an open relay email server.

-Bennett

Next message: Frank L. Heidt: "Re: Recent Attacks"
Previous message: Bennett Todd: "Re: Recent Attacks"
Maybe in reply to: hndat_private: "Recent Attacks"
Next in thread: Frank L. Heidt: "Re: Recent Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:10 PDT