no ip forged-source-address

• Previous message (by thread): no ip forged-source-address
• Next message (by thread): no ip forged-source-address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 02:26 PM 10/30/2002, you wrote:

>On Wed, 30 Oct 2002 variable at ednet.co.uk wrote:
>
>If every router in the world did this I could still use spoofed IP
>addresses and DDOS someone.  My little program could determine what subnet
>I am on, check what other hosts are alive on the subnet and then when it
>decides to attack, it would use some neighbor's IP.  The subnet I am on is
>a /24 and there very well may be a few dozen hosts.  I could be real
>sneaky and alter my IP randomly to be any of my neighbors for every packet
>I send out.

And the company being attacked would be able to find out what network you 
are on.


>Traceback would get me instantly back to the offending subnet but then it
>would take a bit of digging on the network admin to track me down and
>applying RPF checking won't help.

While that traceback is happening, your upstream ISP would be quite able to 
cut connectivity to your /24 while investigating which machine was causing 
the problem. It's a question of accountability. If that /24 is used by one 
company, it's now possible to know that company is your target when you 
file your court papers.


>RPF checking can only go so far.  You would need RPF checking down to the
>host level and I haven't heard anyone discuss that yet.

Getting to the subnet is sufficient bring the problem to the local entity 
involved. I think that's quite reasonable. If the /24 is a cable network, a 
packet analyzer in use by the local cable ISP will find the culprit.

>-Hank
>
> >
> > Hi,
> >
> > I've been following the discussion on DDoS attacks over the last few weeks
> > and our network has also recently been the target of a sustained DDoS
> > attack.I'm not alone in believing that source address filters are the
> > simplest way to prevent the types of DDoS traffic that we have all been
> > seeing with increasing regularity.Reading the comments on this list have
> > lead me to believe that there is a lot of inertia involved in applying
> > what appears to me as very simple filters.
> >
> > As with the smurf attacks a few years ago, best practice documents and
> > RFC's don't appear to be effective.I realise that configuring and
> > applying a source address filter is trivial, but not enough network admins
> > seem to be taking the time to lock this down.If the equipment had
> > sensible defaults (with the option to bypass them if required), then
> > perhaps this would be less of an issue.
> >
> > Therefore, would it be a reasonable suggestion to ask router vendors to
> > source address filtering in as an option[1] on the interface and then move
> > it to being the default setting[2] after a period of time?This appeared
> > to have some success with reducing the number of networks that forwarded
> > broadcast packets (as with "no ip directed-broadcast").
> >
> > Just my $0.02,
> >
> >
> > Richard Morrell
> > edNET
> >
> > [1] For example, an IOS config might be:
> >
> > interface fastethernet 1/0
> >  no ip forged-source-address
> >
> > [2] Network admins would still have the option of turning it off, but this
> > would have to be explicitly configured.
> >
> >
> >

• Previous message (by thread): no ip forged-source-address
• Next message (by thread): no ip forged-source-address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]