North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blocking spoofing at the source (was: ICMP Attacks??)

  • From: Robert Sanders
  • Date: Fri Aug 29 18:52:04 1997

"Jay R. Ashworth" <[email protected]> writes:

> I think if Ascend, Livingston, and USR -- just those 3 -- put filters
> on their dialup ports to prevent source address spoofing, the problem
> would probably drop in half.

Don't hold your breath if you're expecting the vendors to implement
it.  I hope they do, but I'm certainly not waiting for it.  Features
tend to appear in order of financial impact, and I can't imagine the
large customers of Ascend, Livingston, and USR walking away from their
current access platforms if their vendors don't implement automatic
source address filters.  I say that as a fairly large USR/3com
customer, but two or three ports shy of IBM and Compuserve.

I've just finished some RADIUS server patches which implement per-user
anti-spoofing filter creation on USR Total Control NETservers (and
probably USR/3com HiPer ARCs, but I haven't tested with ours yet).  I
hope to have them working for Ascend Maxen within the next couple of
weeks.  Livingston doesn't seem to have the RADIUS support for
specifying dynamic per-user filters (not just filter-ids), though I
haven't investigated their ChoiceNet product thoroughly enough to know
for sure.  It certainly seems that it would need dynamic filter
creation.

Unfortunately, our RADIUS server has mutated to such an extent that
our changes won't apply to any of the source-available RADIUS servers.
We don't even use attribute/value users files anymore.  All our user
information is stored in a more abstract intermediate format.  I want
to port the filter code to the most popular versions (Livingston 1.16,
Merit, Ascend), but I don't have much free time.  If anybody's
interested in using these filters, or especially if you're interested
in helping to port them to other servers, please let me know.

I plan to deploy anti-spoofing filters throughout our access network
before the end of September.  Is anybody else running or planning to
implement similar filters?

regards,
  -- Robert