FW: Re: Is there a line of defense against Distributed Reflective attacks?

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 09:29 PM 1/17/2003, Christopher L. Morrow wrote:



>On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:
>
> >
> >
> >
> > -----Original Message-----
> > From: Stewart, William C (Bill), RTLSL
> > Sent: Friday, January 17, 2003 5:35 PM
> > To: 'nanog-post at trapdoor.merit.edu'
> > Subject: Re: Is there a line of defense against Distributed Reflective
> > attacks?
> >
> >
> > Many of these attacks can be mitigated by ISPs that do
> > anti-spoofing filtering on input - only accepting packets from user ports
>
>Sure, but this is a proven non-scalable solution. HOWEVER, filtering as
>close to the end host is scalable and feasible... do it there, it makes
>MUCH more sense to do it there.

Well, let's see... on dialup circuits it should be done and should be a 
no-brainer. After all, ISPs are required (by UUNet at least) to push in 
filters to ensure dialup users can only reach port 25 of that ISPs mail 
servers and be blocked from all other spots. How hard is it to push in one 
more filter that checks the source IP address of the dialup user to ensure 
the address coming from the user is the one assigned?

Sure, dialups are not the only problem, but it's an example of blocking 
close (very close) to the edge.

Each time an ISP sells a T1 with a router and assigns a block of addresses, 
there's an opportunity to configure that router with filters 
(ingress/egress depending on which side you look at it from) and at least 
simple firewalling rules. Is this an expense to the installing ISP, or a 
cost savings in not having to deal with attacks that came from that network 
later? Even when a customer provides the CPE, providing sample 
configurations really costs little and would help. In many cases, the 
vendor supplying that T1 is one of the same companies which also handles 
the "core" so it's REALLY in their best interest to take little steps to 
protect their edges (hard to point fingers from the core and say "it's the 
edge vendor's problem" when you're also the edge vendor in some cases).

While it's nice that router vendors implemented unicast RPF to make 
configuration in some cases easier, using simple ACLs isn't necessarily 
hard at the edges either.

The stumbling block for ingress filtering has always been pretty simple: By 
implementing ingress, the network you save will be someone else's. You have 
to trust that other network operators will implement ingress filtering and 
in so doing save your network. Sadly, folks tend to avoid doing things that 
might help others, and so I continue to wait for a negligence lawsuit to 
wake folks up on this issue.

Eliminating spoofed addresses from the backbone, even if it were possible 
to do 100%, would not eliminate denial of service attacks. The DDoS attacks 
using coordinated "owned" machines demonstrates this. As spoofing becomes 
more difficult, tracing back the source of attacks becomes easier. Network 
operators will still find machines on their networks performing attacks, 
but when that phone call comes from another network with attack details, 
the chances of finding the offending host are much greater. 

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]