North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: no ip forged-source-address
At 02:26 PM 10/30/2002, you wrote: And the company being attacked would be able to find out what network you are on.On Wed, 30 Oct 2002 [email protected] wrote: If every router in the world did this I could still use spoofed IP addresses and DDOS someone. My little program could determine what subnet I am on, check what other hosts are alive on the subnet and then when it decides to attack, it would use some neighbor's IP. The subnet I am on is a /24 and there very well may be a few dozen hosts. I could be real sneaky and alter my IP randomly to be any of my neighbors for every packet I send out. While that traceback is happening, your upstream ISP would be quite able to cut connectivity to your /24 while investigating which machine was causing the problem. It's a question of accountability. If that /24 is used by one company, it's now possible to know that company is your target when you file your court papers.Traceback would get me instantly back to the offending subnet but then it would take a bit of digging on the network admin to track me down and applying RPF checking won't help. Getting to the subnet is sufficient bring the problem to the local entity involved. I think that's quite reasonable. If the /24 is a cable network, a packet analyzer in use by the local cable ISP will find the culprit.RPF checking can only go so far. You would need RPF checking down to the host level and I haven't heard anyone discuss that yet. -Hank > > Hi, > > I've been following the discussion on DDoS attacks over the last few weeks > and our network has also recently been the target of a sustained DDoS > attack.I'm not alone in believing that source address filters are the > simplest way to prevent the types of DDoS traffic that we have all been > seeing with increasing regularity.Reading the comments on this list have > lead me to believe that there is a lot of inertia involved in applying > what appears to me as very simple filters. > > As with the smurf attacks a few years ago, best practice documents and > RFC's don't appear to be effective.I realise that configuring and > applying a source address filter is trivial, but not enough network admins > seem to be taking the time to lock this down.If the equipment had > sensible defaults (with the option to bypass them if required), then > perhaps this would be less of an issue. > > Therefore, would it be a reasonable suggestion to ask router vendors to > source address filtering in as an option[1] on the interface and then move > it to being the default setting[2] after a period of time?This appeared > to have some success with reducing the number of networks that forwarded > broadcast packets (as with "no ip directed-broadcast"). > > Just my $0.02, > > > Richard Morrell > edNET > > [1] For example, an IOS config might be: > > interface fastethernet 1/0 > no ip forged-source-address > > [2] Network admins would still have the option of turning it off, but this > would have to be explicitly configured. > > >
|