Working vulnerability? (Cisco exploit)
Paul Vixie
vixie at vix.com
Sat Jul 19 14:45:29 UTC 2003
B.Buxton at Planettechnologies.nl ("Ben Buxton") writes:
> For starters the original explit wont work very well out of the box for
> most script kiddies (random source addresses -> killed by anti-spoofing)
Please put a ":-)" in when you're being humourous. That one was subtle
enough that I just about laughed coffee out my nose.
For the record, script kiddies (and others) encounter no significant
blockage when using random source addresses. I'd estimate than less
than a tenth of a percent (that's 0.1%) of edge paths use RPF, even
though BCP38 states the case clearly and the technology makes it easy
and there are plenty of recipes and examples available.
For a truly stunning example, consider that one of the low-end members
of the f-root cluster has gone 60 days since its counters were last
cleared, yet...
#sfo2b.f:i386# ipfw show
...
00400 39787994 2630377143 deny ip from 10.0.0.0/8 to any in
00500 38090617 2460350048 deny ip from 172.16.0.0/12 to any in
00600 24926636 1658950280 deny ip from 192.168.0.0/16 to any in
...
...it has received almost 7GBytes of rfc1918-sourced traffic in that time.
I don't mean by that example to support my 0.1% assertion, but rather to
show that far from filtering not-theirs on ingress, the vast majority of
providers can't even filter not-anybodys on egress -- an easier problem!
Don't underestimate script kiddies. If you leave a door wide open, they
WILL walk through.
--
Paul Vixie
More information about the NANOG
mailing list