Re: Blocking spoofing at the source (was: ICMP Attacks??)

• From: Jay R. Ashworth
• Date: Fri Aug 22 19:17:48 1997

On Fri, Aug 22, 1997 at 02:59:40PM -0700, Josh Beck wrote:
> > > Given the predominance of Ascend in the marketplace, and their general
> > > configuration style, it would be cool to see an option
> > > "AllowIpSpoofing=Yes/No" or the like. The boxes already carry routes
> > > associated with each interface. If a packet arrives that doesn't have a
> > > route to get it back to the interface it came from, it would be dropped.
> > > Sure, this may not always be what you want, but in 99% of the cases it
> > > would be. Implementation via Radius would permit this to be removed from
> > > people you wish to allow to spoof. :)
> >  
> > This won't work on anything with multiple diverse paths. And I don't know
> > many companies with their own WANs that don't have such.

Are those companies connecting their LANs to the net through _dialup_
ports on Ascend Boxen?

Come _on_ folks; pay attention.

> > So, yes, the idea is nice but the logic would have to be much more
> > comprehensive than that. And I honestly don't know how you could safely do
> > it, that won't break half the routing topologies out there.
> 
> 	True, but there are a lot of small ISPs whom something like this
> could help. Granted, perhaps you should know enough of filters and routes
> to run an ISP, but there are those who don't, and their numbers will only
> increase as the involved equipment and technologies become more accessible
> to more people, and more PC shops and small businesses decide to become
> their own ISPs.

I'd venture to speculate that the _vast_ majority of ports on routing
devices in the work have networks connected to them which contain only
hosts -- no other routers.

Remember, that description includes dialup PPP ports.

I think if Ascend, Livingston, and USR -- just those 3 -- put filters
on their dialup ports to prevent source address spoofing, the problem
would probably drop in half.

Adding it to the boundary routers on college campuses would cut another 40%

The remaining 10% comes from AGIS.  :-)

Cheers,
-- jra
-- 
Jay R. Ashworth                                                [email protected]
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592

• Follow-Ups:
  • Re: Blocking spoofing at the source (was: ICMP Attacks??) Robert Sanders

• References:
  • Blocking spoofing at the source (was: ICMP Attacks??) Joe Rhett
  • Re: Blocking spoofing at the source (was: ICMP Attacks??) Josh Beck

• Prev by Date: Re: Blocking spoofing at the source (was: ICMP Attacks??)
• Next by Date: Re: Blocking spoofing at the source (was: ICMP Attacks??)
• Date Index
• Thread Index
• Author Index
• Historical