Re: Cisco says attacks are due to operational practices

• From: Richard Steenbergen
• Date: Thu Feb 10 22:01:22 2000

On Thu, Feb 10, 2000 at 06:13:56PM -0800, Chris Cappuccio wrote:
> 
> Filtering incoming our outgoing ports for anybody's network but your own (not
> your customer's) is wrong.  You know specifically what apps you are running.  
> How can you know what your customer is running or what they want to do ?
> 
> If the customer is aware this is happening or even requests this type of
> firewall service, that's great.  But to filter ports on backbone routers is
> stupid.
> 
> On Thu, 10 Feb 2000, John M. Brown wrote:
> 
>  | 
>  | We have always built martian filters on our edge routers.  In addition we
>  | built specific filters for ports that are not used, or are bad on the net.
>  | 
>  | No matter what the customers router is doing, ours will drop 1918 and other
>  | IP blocks, and ports.
>  | 
>  | This can be automated and can be deployed over a reasonable period of time.
>  | Most MAJOR backbone providers do not do this, wish they would

Filtering traffic sourced from 1918 space is also stupid. There is
absolutily nothing wrong with this traffic. There is something wrong with
knowing how to get to 1918 space that is not on your network or trying to
tell someone else how to get to your 1918 space, but the traffic itself is
totally legit, for example as a return in a traceroute from a hop that is
numbered in 1918 space. I am continueingly amazed how many people say
"well we filtered 1918 space that will reduce the size of the attack".
RFC1918 space is 6% of the available IPv4 address space. Infact the only
traffic that should NOT be on the internet is from the loopback class A
127.0.0.0/8, so if you want to filter something useful why don't you try

access-list 1911 permit 64.0.0.0 0.255.255.255
access-list 1911 deny 64.0.0.0 63.255.255.255
access-list 1911 deny 224 0.0.0 31.255.255.255
access-list 1911 permit any

Thats a 35.9% reduction in the random sourced attacks, and takes care of
multicast space sourced packets which you should never see either.

-- 
Richard A. Steenbergen <[email protected]>  http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1  (E5 35 10 1D DE 7D 8C A7  09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA

• Follow-Ups:
  • Re: Cisco says attacks are due to operational practices Marc Slemko

• References:
  • Re: Cisco says attacks are due to operational practices John M. Brown
  • Re: Cisco says attacks are due to operational practices Chris Cappuccio

• Prev by Date: Re: Cisco says attacks are due to operational practices
• Next by Date: Re: Cisco says attacks are due to operational practices
• Date Index
• Thread Index
• Author Index
• Historical