Automatic filtering - CISCO, you should think about this...

Phil Howard phil at charon.milepost.com
Sun Dec 28 18:58:12 UTC 1997


Karl Denninger writes...

> How about an interface keyword such as "auto-inbound-filter", which does
> this:
> 
> 	At STARTUP and when the LOCAL route table changes (ie: "ip route
> 	xxx..." statements) the system looks at the interfaces, and the 
> 	local static routes, and builds an accept list for that interface.
> 	The list is stored in a "reserved" set of system access lists.
> 
> 	Add a parmaeter which can be turned on (ie: log) which would add
> 	"log" to the end of the filter lists, so that anyone TRYING to smurf
> 	will get logged
> 
> This would totally automate the process of inbound filtering to prevent or
> severely limit smurf attacks.
> 
> Since filters which are based only on the source address are relatively
> cheap for the router to process, this would likely not seriously burden 
> anyone in their direct connections.
> 
> I'd love to see something like this, and it would reduce the complaint that
> its "too hard to manage" such things.

How about having "no-auto-inbound-filter" instead, making the default in all
new versions of IOS be to run this essential level of protection, providing
a means to turn it off only for those who know they need to turn it off.

-- 
Phil Howard | a6b5c8d2 at spam4mer.org suck6it2 at no90ads4.org stop6ads at anyplace.edu
  phil      | w0x8y2z4 at nowhere5.edu stop5ads at anyplace.org a3b4c7d6 at dumbads3.org
    at      | ads6suck at spam0mer.net end3ads1 at no95ads2.net stop1ads at noplace2.org
  milepost  | end5it79 at no2where.net die3spam at s0p0a4m7.net eat05me6 at dumbads3.org
    dot     | end7ads9 at no52ads9.edu ads5suck at no9place.net stop7074 at lame9ads.edu
  com       | no9spam1 at lame5ads.org no94ads1 at no96ads0.net stop5ads at nowhere7.net



More information about the NANOG mailing list