North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: dsl providers that will route /24

  • From: Greg A. Woods
  • Date: Thu Mar 29 22:21:18 2001

[ On Thursday, March 29, 2001 at 18:40:03 (-0800), David Schwartz wrote: ]
> Subject: RE: dsl providers that will route /24
>
> 	Right, that's why every provider has to come up with some reasonable way to
> deal with this problem. Filtering is one, but it doesn't solve the whole
> problem. Monitoring is one, but it doesn't solve the whole problem either.

Filtering illegal source addresses, and monitoring your filters, will
eliminate *all* possibility of being the source of a spoofed DoS against
someone else.  Absolutely, positively, guaranteed.  No ifs, ands, or
buts.  There really is no valid excuse any more for not doing it.

> 	Well that's the real problem. Every attack is potentially spoofed and there
> are no good tools for dealing with spoofed attacks. Filtering doesn't solve
> either of those two problems.

Yes, exactly, every attack is potentially using spoofed source
addresses, which is why monitoring your filters *and* your netflow stats
together, will give you a very good idea of who might be trying to
perform an unspoofed DoS, or even if a significant enough number of your
customers have been hacked and are being used to perform a DDoS.
Filtering absolutely blocks all spoofed attacks, leaving you with only
the easy ones to deal with.  It also absolutely works 100% of the time,
unlike NOC operators who might not always be watching similar passive
monitoring, or who might be distracted by some other apparently more
important event.  Passive monitoring is not a technical control and
cannot in any way compete against hard technical controls.

> 	Again, no. A unicast UDP flood can do just as much damage. So filters do
> not reduce the damage.

No, filters won't block a non-spoofed UDP flood, but they're very likely
to point the finger at someone who's trying to perform such an attack
*before* they can successfully pull it off!  (at least they will until
attackers get smart enough not to tip their hat by trying a spoof first)

> 	Exactly -- the problem is there's no good way to tell a spoofed packet from
> an unspoofed packet. Some form of source authentication would solve that.

Every packet with a source address that's not assigned to the customer
who it is arriving from *IS* a spoofed packet, regardless of *why* it
has an errant address.  They must all be filtered regardless of content
or purpose!  The sooner your customers realise their configuration
errors, the better (and the happier they'll be!).

Yes customers should do anti-spoofing filtering on both source and
destination addresses too, but that does not in any way excuse any
provider from doing likewise on *all* edge connections.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <[email protected]>      <robohack!woods>
Planix, Inc. <[email protected]>; Secrets of the Weird <[email protected]>