On Tue, 17 Sep 1996, Kent W. England wrote:
the attacks involving either a SYN proxy or a machine feeding RST's. These technical details belong on the firewalls list because the people on that list work with building DEFENSIVE mechanisms.
Except that what we need are routers implementing traffic filtering on ISP input ports rather than firewalls defending customer premises from attacks coming from the ISPs.
We need both.
I think we are dealing with two different markets and two different groups of people. I don't think that ISPs will protect themselves from this denial of service attack with firewalls. This is a router requirement.
Whether you put the firewall capability in a router or a seperate box does not matter. The firewalls list is for people who want to talk about different defensive strategies and how to implement them.
The most important point is that if we all decide that defense and tracing are of limited utility and that filtering is the only way to stop these attacks, then we need a few people who read the nanog and iepg lists to stand up and say "I will filter and I expect you to do the same if you want to peer with me." Otherwise, it will be difficult for any single ISP to justify being the first to install peripheral filtering. We must have a consensus to move on this issue. Call it "peer pressure". :-)
You can also frighten people like so... Copyright 1996 by Michael Dillon, All Rights Reserved By now everyone is well aware of the exploits of the legendary hacker Kevin Mitnick who broke into computers at the San Diego Supercomputer Center administered by Tsutomu Shimomura by using a couple of techniques known as source spoofing and SYN flooding. But few people are aware that these techniques have now been mastered by many other hackers estimated to be 20,000 strong in the USA alone. And surprisingly, few Internet sites have protected themselves from such attacks by installing simple source address filters on their routers. A variation on this type of attack shut down a New York ISP for hours at a time over a four day period early in September. Anyone responsible for any services connected to the Internet should see to it that basic source address filters are installed in their routers. These filters will ensure that no packets can enter your network pretending to be from a trusted machine inside your network. And they will prevent packets from leaving your network unless they have proper local source addresses on them. The incoming filters will protect you from external spoofing attacks by hackers while the outgoing filters will ensure that you cannot be used as a launching board for hacker attacks and thus protect you from legal liability. -----------------end of sample--------- Add some technical details on how to implement source address filtering and you will get LOTS of sites to install these filters. The copyright notice is up there because I intend to approach various magazine editors regarding an article on the subject. But if somebody wants to take a similar approach on a web page or a mailing list or at LISA or at NANOG or wherever, I think this is an effective angle to take. You know what they say; most people don't get the message until they read something for the SEVENTH time. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com