|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ACLs / Filter Lists - Best Practices
On Fri, Nov 30, 2001, Andreas Plesner Jacobsen wrote: > > On Fri, Nov 30, 2001 at 01:39:24AM -0500, Tim Irwin wrote: > > > > - <rant>RFC 1918 filtering is no silver bullet. Yes, it should be done, but > > all a malicious person needs in order to be able to launch an effective DDoS > > attack is to source from unassigned address space or address space that is > > known to be unused.</rant> > > And that's why we all need to employ things like CEF reverse path > verification at our customer edge. Strangely enough, DoS attacks these days may not be caught by reverse-path filtering. Think hundreds of exploited modem, DSL and cable machines (be it windows, linux, solaris, whatever..) Think each machine sitting on an irc network, whether it be a public one (Efnet, Undernet, Dalnet, etc) or a private one. Think each machine sending a valid stream of say, 5 packets a second (each a few hundred bytes) to some host that someone in the relevant IRC channel commands. Oops. DoS. Traceable (which is nice), but not easily stopped since the traffic, for all intents and purposes, is valid. RFC1918 filtering won't stop this. reverse-path filtering won't do this. subscriber-edge spoof filtering won't even catch this. And before someone jumps up and says "theoretical!", I'm sure a few NANOGers who double as occasional IRC server admins can possibly attest to strangely named channels with hundreds of idling clients sitting in them.. :-) Personally I think that subscriber-edge filtering should be the primary thing (come on guys, how many clients use satellite download schemes which require IP spoofing for outbound packets via a modem?), since most times an _end customer_ (and I'd kick-start the end-customer defintion as one who doesn't speak BGP) needs to spoof source IPs for a service, their service provider should be using an IP-IP encaps protocol. And, if reverse-path filtering starts becoming widespread, these people requiring source IP spoofing may also find themselves lost. 2c, Adrian -- Adrian Chadd "Auntie Em, Hate you. Hate Kansas. <[email protected]> Taking the dog." -- Dorothy
|