Blocking spoofing at the source (was: ICMP Attacks??)

• Previous message (by thread): Blocking spoofing at the source (was: ICMP Attacks??)
• Next message (by thread): Blocking spoofing at the source (was: ICMP Attacks??)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joe Rhett writes...

> > Given the predominance of Ascend in the marketplace, and their general
> > configuration style, it would be cool to see an option
> > "AllowIpSpoofing=Yes/No" or the like. The boxes already carry routes
> > associated with each interface. If a packet arrives that doesn't have a
> > route to get it back to the interface it came from, it would be dropped.
> > Sure, this may not always be what you want, but in 99% of the cases it
> > would be. Implementation via Radius would permit this to be removed from
> > people you wish to allow to spoof. :)
>  
> This won't work on anything with multiple diverse paths. And I don't know
> many companies with their own WANs that don't have such.

As long as _one_ _of_ _the_ _routes_ would go back on the interface the
packet arrived on, not necessarily the best route, then the logic would
work in the majority of cases that I know of.

But this could require a more extensive route lookup, which would do more
than just double the CPU time looking up routes.

OTOH, you could cut out a LOT of spoofing if all dialup routers were to
restrict source addresses to just the network range specified in the user
account data (for static with LAN) or the port address (for dynamic).
Any packet coming in on the port would be discarded with optional logging.

For example:

AllowSourceNet=10.0.0.0/8:172.16.0.0/12:192.168.0.0/16


> So, yes, the idea is nice but the logic would have to be much more
> comprehensive than that. And I honestly don't know how you could safely do
> it, that won't break half the routing topologies out there.

Doing this on backbone routes would be of little to no benefit and very
expensive.  Doing this on dialup routers is where the greatest benefit is,
and can always be turned off on a per-user basis where things do break for
some reason.

-- 
Phil Howard KA9WGN   +-------------------------------------------------------+
Linux Consultant     |  Linux installation, configuration, administration,   |
Milepost Services    |  monitoring, maintenance, and diagnostic services.    |
phil at milepost.com +-------------------------------------------------------+

• Previous message (by thread): Blocking spoofing at the source (was: ICMP Attacks??)
• Next message (by thread): Blocking spoofing at the source (was: ICMP Attacks??)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]