no ip forged-source-address

Christopher L. Morrow chris at UU.NET
Thu Oct 31 06:17:18 UTC 2002


I was trying to keep my mouth shut... but alas that was too tough ;(

First, the ip addresses used in the attack are completely disconnected
from the problem of the attack. If you get attacked, its really not
relevant what ips are used, spoofed or not someone needs to stop it for
you. The real problem that needs to be addressed is 'how to make the
attacks stop' in the first place.

Anyway, on to the comments :)


On Wed, 30 Oct 2002, Daniel Senie wrote:

>
> At 12:09 PM 10/30/2002, you wrote:
> >  "daniel" == Daniel Senie <dts at senie.com> writes:
> >
> >daniel> If the government or other large buyers require network-wide
> >daniel> ingress filtering in any supplier they buy from (something I
> >daniel> suggested to the folks at eBay, Schwab, etc. in our phone
> >daniel> calls after the attacks a few years ago), or if there were
> >daniel> legal incentive, there might be a chance ISPs would find a
> >daniel> financial motive to implement BCP 38. As it is, there's no
> >daniel> incentive, so the path of least resistance is to do nothing.
> >
> >I find it interesting that you suggest that the legal incentive should
> >be toward having the ISPs come up with a magic solution and not toward
> >having the customers do egress filtering at the edge(s) of their
> >network and actually perform something resembling security on the
> >hosts on their networks.
>
> What I suggested was a financial OR legal incentive.
>
>
> >After all, it is not usually a security failing of the ISP that causes
> >a DoS or DDoS attack, but utter incompetence or neglect by someone at
> >the edge of the network.
>
> That's a question of perspective. Arguably both the ISP and the end user
> are responsible. The ISP is often in the role of managing the CPE router,
> and thereby has control over the router where ingress/egress filtering is
> most easily implemented with simple access control lists.
>

Wow, this is an overreaching assumption you are making. There are quite a
few ISP's that manage a small minority of their customers. I'd think that
number at UUNET, for example, manages less than 1% of its customer CPE.
Sprint is apparently managing a bit more, given that almost all sprintlink
customers I talked to have managed cpe... ATT I don't know about for
this argument. The point here is that assuming that "all isps manage their
customer's cpe" isn't safe.

>
> >I'm not saying I don't think ISPs should filter where feasible, I'm
> >just saying that if we're going to hold someone responsible, it should
> >be the people who are responsible, not the people who are convenient.
>
> I find it interesting that some ISPs have no trouble taking care of ingress
> filtering, while others bellyache about how hard and expensive it is.
> Another nanog participant commented ATT implemented this starting in 1995.
> A UUNet person was the most vocal opponent to the draft that became RFC
> 2267 (over concern that the Cisco 7000's in use then would not handle the
> load). Six years later, ATT's network seems to do OK. Did UUNet ever do
> anything about it? Buy gear sized properly to do it? UUNet gives away
> 2610's with leased lines. Do they come pre-configured to do ingress
> filtering even?

Yes, this has been part of the standard customer router config for
sometime now... Technically its 'egress' not 'ingress' filters, but the
same effect is in place.

>
> The question for the ISP is how it will defend itself when summoned to
> court. The ISP had the tools to ensure spoof attacks could not come from
> its network, yet chose not to. The customer likely would also face the

This is entirely NOT the case. The 'tools' being 'urpf' works in limited
cases, there are some spectacular failures though. Access-lists on INGRESS
at the ISP, except in small ISP examples are a massive scale problem.. not
to mention the functionality issues :)





More information about the NANOG mailing list