Who does source address validation? (was Re: what's that smel l?)

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Oct 10 06:22:43 UTC 2002


On Wed, 09 Oct 2002 22:43:50 PDT, Steve Francis said:

> That's not terribly hard to overcome - allow icmp unreachables (from any 
> source) in your acl,  then deny all traffic from RFC 1918 addresses, 
> then the rest of the ACL.
> 
> Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up 
> with all the functionality, and almost none of the bogus traffic.

Amazingly enough, although there's a number of offenders in the 1918-numbered
tunnel category, we decided it was easier to just not worry about talking to
those provider's victi^H^H^H^H^Hcustomers(*).  We got tired of watching all the
DDoS-backscatter ICMP that *also* shows up with 1918 addresses on it. When
those show up, it means that some provider didn't filter whoever was forging
our address *AND* some provider wasn't filtering the 1918-sourced ICMP.  The
fact it's probably two different providers is enough to make you give up trying
to do something nice for the net and just go have too many beers instead.;)

/Valdis

(*) The problem usually tends to be self-correcting - the host that got bit
the most was our Listserv machine - and if outbound mail got hosed up for
TOO long, it would bounce, the victim would get unsubscribed, and no more
problems - at least till they manage to resubscribe.   Life got much nicer
once I made sure the "You must now confirm your subscription" message was
long enough to always trigger a 'frag needed'. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20021010/23e8bd67/attachment.sig>


More information about the NANOG mailing list