North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Working vulnerability? (Cisco exploit)

  • From: Paul Vixie
  • Date: Sat Jul 19 10:48:19 2003

[email protected] ("Ben Buxton") writes:

> For starters the original explit wont work very well out of the box for
> most script kiddies (random source addresses -> killed by anti-spoofing)

Please put a ":-)" in when you're being humourous.  That one was subtle
enough that I just about laughed coffee out my nose.

For the record, script kiddies (and others) encounter no significant
blockage when using random source addresses.  I'd estimate than less
than a tenth of a percent (that's 0.1%) of edge paths use RPF, even
though BCP38 states the case clearly and the technology makes it easy
and there are plenty of recipes and examples available.

For a truly stunning example, consider that one of the low-end members
of the f-root cluster has gone 60 days since its counters were last
cleared, yet...

#sfo2b.f:i386# ipfw show
00400   39787994   2630377143 deny ip from to any in
00500   38090617   2460350048 deny ip from to any in
00600   24926636   1658950280 deny ip from to any in
... has received almost 7GBytes of rfc1918-sourced traffic in that time.
I don't mean by that example to support my 0.1% assertion, but rather to
show that far from filtering not-theirs on ingress, the vast majority of
providers can't even filter not-anybodys on egress -- an easier problem!

Don't underestimate script kiddies.  If you leave a door wide open, they
WILL walk through.
Paul Vixie