|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: ACLs / Filter Lists - Best Practices
Hi, all. Just a couple of comments in response to: ] - <rant>RFC 1918 filtering is no silver bullet. Yes, it should be done, but ] all a malicious person needs in order to be able to launch an effective DDoS ] attack is to source from unassigned address space or address space that is ] known to be unused.</rant> I filter all RFC 1918 and unused/bogon space at my borders (in both prefix-lists and ACLs). This cuts down on a large percentage of the garbage. Of course I filter outbound as well, to protect the Internet from my data centers. :) You can see the filtering I use in the Secure IOS Template and Secure BGP Templates here: http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html With one routinely attacked site, 68% of the incoming traffic uses bogon source addresses (e.g. 127.1.1.1, 169.254.3.3, 0.1.2.3, etc.) So this filtering really does help. However, having said that, please keep in mind that most of the bots I disassemble and botnets I monitor don't bother to spoof at all. Many don't include the capability to generate spoofed or malformed packets. Why? Because the number of bots used in the attack is already overwhelming. It is almost impossible to block them all with conventional filtering, so there is no need to spoof. Further, tracking them is quite difficult as well. Try explaining to a home user that his or her machine has been used in a DDoS attack. The response I received by one home PC owner was: "Cool!" :P FYI, the miscreants continue to hack vulnerable Cisco routers. I watched as one crew gathered 800 ciscos (underground parlance) a few days ago. Please ensure that you have access control and good passwords on your routers. Advise your customers to do the same. Hmm, when will I ever be able to keep my posts to "just a couple of comments?" :) Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
|