On Sun, Dec 28, 1997 at 04:30:35PM +1100, Adrian Chadd wrote:
Since source address spoofing seems to be the thing, why not bite the bullet and put filters on from addresses on downstream clients?
It *would* start to blow out the size/complexity of the router configurations, but if your network is of a decent size you should already have some router config management tools written :)
But this way, people can only spoof IPs from their own block, and not random addresses. It would kill smurf attacks, make tracing a tad(?) easier, etc, etc. And as I've mentioned before, not all types of floods are ICMP attacks. If you filter ICMP, then I'll start flooding with spoofed source addresses TCP packets with random sequence numbers and from IPs. What, you're going to ask routers to track all the TCP connections going through them now for validation? Erm, how many CPUs more are we going to need..? :)
If you did this the trace would be TRIVIAL. Then, the source network of the problem gets BGP-dropped until they kill the source account and/or connection. This reduces smurfing to a ONE TIME event, makes prosecution easy (anyone who thinks that such an attack, launched on interstate facilities, against any regional or larger ISP isn't something the Feds will want to get into is dreaming - its a slam-dunk that the limits on damage have been exceeded) and further, raises the bar on people who claim that they "can't fix this".
I haven't looked at the MCI tools but my opinion is that if people start putting filters in, you would find the instances of flooding decline. All that needs to be done now is to discuss the best ways to do it (eg setting up a filter on a cisco which uses AS path regexps, so you can filter per interface on what people are announcing to you via BGP. That way, your downstreams can only send traffic with FROM IPs that they announce, and anyone who wants to spoof has to be speaking BGP. )
Adrian
All you need to do is prevent out-of-bounds traffic from being sent into your dedicated and dial equipment, and the problem now becomes trivial to solve. If it can be EASILY traced, it will stop being done. If you put these filters in place, the Smurfer will try to use a forged address and be dismayed when *nothing happens*. What's better, he won't KNOW that he's been filtered, and if you log the attempts you will know that someone tried and failed - which is a perfect reason to cancel their service. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex support on ALL modems Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost