Ping flooding (fwd)

Tue Jul 9 07:10:38 UTC 1996

That's once again a matter of defaults -- routers should
_by default_  discard all packets from interfaces which
they won't use for forwarding those packets back.

This rule works is 99.9% of cases preventing SA spoofing
and some cases of transient loops, and can be disabled
where asymmetrical routing is desired.

I also have thought of some mechanism to allow destination
host to quench sender forcefully, by telling the intermediate
router(s) to disallow forwarding to some destination for
some period of time (a minute would do nice to render
flooding attacks ineffective), but there's a problem with
authentication (i.e. there's a need for the router to
"call back" to confirm that destination indeed wants to
shut up somebody).

Finally, routers could implement a kind of "reverse trace" ICMP
with the following functionality:

	on receiption of RT ICMP message take the SA from the
	ICMP and send back reply message.  After that install
	watchpoint to look for packets going to that address
	(the "watchpoint" may be implemented as a host route
	to some special interface).  If watchpoint is triggered
	(i.e. we've got a packet going to the SA) 
	send copy of the RT ICMP to the interface from which the
	offending packet came from and remove the watchpoint.
	If watchpoing wasn't triggrded for some time, remove
	it silently.

That simple mechanism would allow to track down sources of
forged (or mis-configured) SAs pretty quickly.  However it is
ineffectual if source-based routing with a large number of variant
routes is used.  But then, unrestricted SBR is very dangerous
anyway (it allows to create artificial congestions by emitting
relatively small streams of bogons with routes wound in tight loops).

--vadim