Karl Denninger writes...
How about an interface keyword such as "auto-inbound-filter", which does this:
At STARTUP and when the LOCAL route table changes (ie: "ip route xxx..." statements) the system looks at the interfaces, and the local static routes, and builds an accept list for that interface. The list is stored in a "reserved" set of system access lists.
Add a parmaeter which can be turned on (ie: log) which would add "log" to the end of the filter lists, so that anyone TRYING to smurf will get logged
This would totally automate the process of inbound filtering to prevent or severely limit smurf attacks.
Since filters which are based only on the source address are relatively cheap for the router to process, this would likely not seriously burden anyone in their direct connections.
I'd love to see something like this, and it would reduce the complaint that its "too hard to manage" such things.
How about having "no-auto-inbound-filter" instead, making the default in all new versions of IOS be to run this essential level of protection, providing a means to turn it off only for those who know they need to turn it off. -- Phil Howard | a6b5c8d2@spam4mer.org suck6it2@no90ads4.org stop6ads@anyplace.edu phil | w0x8y2z4@nowhere5.edu stop5ads@anyplace.org a3b4c7d6@dumbads3.org at | ads6suck@spam0mer.net end3ads1@no95ads2.net stop1ads@noplace2.org milepost | end5it79@no2where.net die3spam@s0p0a4m7.net eat05me6@dumbads3.org dot | end7ads9@no52ads9.edu ads5suck@no9place.net stop7074@lame9ads.edu com | no9spam1@lame5ads.org no94ads1@no96ads0.net stop5ads@nowhere7.net