North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Access Lists

  • From: Martin, Christian
  • Date: Wed Mar 25 20:54:19 1998

It is more of a case of at all.  My associates feel that if a downstream
ISP pissed someone off, it is their problem to solve, not ours.  We do
filter traffic not destined for our IP space at our borders, but, for
the same reasons you stated, do nothing outbound, except on our BGP
sessions where we don't want certain netblocks routed in the Internet.
My concern is, if a perpetrator is persistent enough, he can write a
ping flood program that uses some obscure ICMP type that is rarely used,
say net-tos-redirect, and get in that way.  Even if we were to block
ICMP completely, which would take away source-quench, he could use UDP,
or perhaps even TCP syn floods and the like to get at this guy.  Either
way, it is a difficult situation.  Moreover, it is difficult to trace
this stuff back through, because I have to get every ISP, NSP, etc, etc
involved in order to trace spoofed IP addresses.

Ho do you block spoofed IP addresses?  I am already blocking ICMP
redirects and IP source routed packets.  Is there a better way, or
should I just tell my customer to deal?  I want to prevent this from
consuming my bandwidth as well.



Deepak Wrote

Are you trying to avoid a precedent of filtering at all or just filter
a whim? I don't think its really possible nowadays to be responsible and
not do _any_ filtering. 

I'd love to be able to not, but sometimes we have to. We also block
routed packets at our borders. We filter all inbound traffic to make
it is destined for IPs that we route for (we can't filter outbound both
policy and technical difficulty). 


On Wed, 25 Mar 1998, Martin, Christian wrote:

> That is what I am going to do.  But with over 100 downstream customers,
> and IOS 11.1 (sans named access lists) I don't want to start a
> precedent.
> Thanks!
> On Wed, 25 Mar 1998, Jain Depak Wrote
> Why not just filter all ping traffic to his T1 until the attack
> subsides?
> -Deepak.
> On Wed, 25 Mar 1998, Martin, Christian wrote:
> > Hello All,
> > 
> > I have a customer who is being ping-flooded.  His bandwidth is being
> > sucked up due to these floods, and wishes me to block them on my router.
> >  I am somewhat reluctant to do this, since it goes against our policy;
> > however, the customer has been very patient with us on this issue and
> > his patience is running out.  
> > 
> > I would be implementing on a Cisco 7507, with 3 T-3s to the Internet,
> > and the customer hangs off the router on a T-1.  What is the general
> > consensus on providing such a service, particularly in terms of
> > processing overhead and manageability.  Is there another way to prevent
> > this type of attack, aside from watching packets go by and trying to
> > trace it back through the source.  The source IPs are spoofed.
> > 
> > Thanks!
> > Christian Martin
> >