[ On Thursday, March 29, 2001 at 18:40:03 (-0800), David Schwartz wrote: ]
Subject: RE: dsl providers that will route /24
Right, that's why every provider has to come up with some reasonable way to deal with this problem. Filtering is one, but it doesn't solve the whole problem. Monitoring is one, but it doesn't solve the whole problem either.
Filtering illegal source addresses, and monitoring your filters, will eliminate *all* possibility of being the source of a spoofed DoS against someone else. Absolutely, positively, guaranteed. No ifs, ands, or buts. There really is no valid excuse any more for not doing it.
Well that's the real problem. Every attack is potentially spoofed and there are no good tools for dealing with spoofed attacks. Filtering doesn't solve either of those two problems.
Yes, exactly, every attack is potentially using spoofed source addresses, which is why monitoring your filters *and* your netflow stats together, will give you a very good idea of who might be trying to perform an unspoofed DoS, or even if a significant enough number of your customers have been hacked and are being used to perform a DDoS. Filtering absolutely blocks all spoofed attacks, leaving you with only the easy ones to deal with. It also absolutely works 100% of the time, unlike NOC operators who might not always be watching similar passive monitoring, or who might be distracted by some other apparently more important event. Passive monitoring is not a technical control and cannot in any way compete against hard technical controls.
Again, no. A unicast UDP flood can do just as much damage. So filters do not reduce the damage.
No, filters won't block a non-spoofed UDP flood, but they're very likely to point the finger at someone who's trying to perform such an attack *before* they can successfully pull it off! (at least they will until attackers get smart enough not to tip their hat by trying a spoof first)
Exactly -- the problem is there's no good way to tell a spoofed packet from an unspoofed packet. Some form of source authentication would solve that.
Every packet with a source address that's not assigned to the customer who it is arriving from *IS* a spoofed packet, regardless of *why* it has an errant address. They must all be filtered regardless of content or purpose! The sooner your customers realise their configuration errors, the better (and the happier they'll be!). Yes customers should do anti-spoofing filtering on both source and destination addresses too, but that does not in any way excuse any provider from doing likewise on *all* edge connections. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>