At 09:29 PM 1/17/2003, Christopher L. Morrow wrote:
On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:
-----Original Message----- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: 'nanog-post@trapdoor.merit.edu' Subject: Re: Is there a line of defense against Distributed Reflective attacks?
Many of these attacks can be mitigated by ISPs that do anti-spoofing filtering on input - only accepting packets from user ports
Sure, but this is a proven non-scalable solution. HOWEVER, filtering as close to the end host is scalable and feasible... do it there, it makes MUCH more sense to do it there.
Well, let's see... on dialup circuits it should be done and should be a no-brainer. After all, ISPs are required (by UUNet at least) to push in filters to ensure dialup users can only reach port 25 of that ISPs mail servers and be blocked from all other spots. How hard is it to push in one more filter that checks the source IP address of the dialup user to ensure the address coming from the user is the one assigned? Sure, dialups are not the only problem, but it's an example of blocking close (very close) to the edge. Each time an ISP sells a T1 with a router and assigns a block of addresses, there's an opportunity to configure that router with filters (ingress/egress depending on which side you look at it from) and at least simple firewalling rules. Is this an expense to the installing ISP, or a cost savings in not having to deal with attacks that came from that network later? Even when a customer provides the CPE, providing sample configurations really costs little and would help. In many cases, the vendor supplying that T1 is one of the same companies which also handles the "core" so it's REALLY in their best interest to take little steps to protect their edges (hard to point fingers from the core and say "it's the edge vendor's problem" when you're also the edge vendor in some cases). While it's nice that router vendors implemented unicast RPF to make configuration in some cases easier, using simple ACLs isn't necessarily hard at the edges either. The stumbling block for ingress filtering has always been pretty simple: By implementing ingress, the network you save will be someone else's. You have to trust that other network operators will implement ingress filtering and in so doing save your network. Sadly, folks tend to avoid doing things that might help others, and so I continue to wait for a negligence lawsuit to wake folks up on this issue. Eliminating spoofed addresses from the backbone, even if it were possible to do 100%, would not eliminate denial of service attacks. The DDoS attacks using coordinated "owned" machines demonstrates this. As spoofing becomes more difficult, tracing back the source of attacks becomes easier. Network operators will still find machines on their networks performing attacks, but when that phone call comes from another network with attack details, the chances of finding the offending host are much greater.