Re: Blocking spoofing at the source (was: ICMP Attacks??)
"Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us> writes:
I think if Ascend, Livingston, and USR -- just those 3 -- put filters on their dialup ports to prevent source address spoofing, the problem would probably drop in half.
Don't hold your breath if you're expecting the vendors to implement it. I hope they do, but I'm certainly not waiting for it. Features tend to appear in order of financial impact, and I can't imagine the large customers of Ascend, Livingston, and USR walking away from their current access platforms if their vendors don't implement automatic source address filters. I say that as a fairly large USR/3com customer, but two or three ports shy of IBM and Compuserve. I've just finished some RADIUS server patches which implement per-user anti-spoofing filter creation on USR Total Control NETservers (and probably USR/3com HiPer ARCs, but I haven't tested with ours yet). I hope to have them working for Ascend Maxen within the next couple of weeks. Livingston doesn't seem to have the RADIUS support for specifying dynamic per-user filters (not just filter-ids), though I haven't investigated their ChoiceNet product thoroughly enough to know for sure. It certainly seems that it would need dynamic filter creation. Unfortunately, our RADIUS server has mutated to such an extent that our changes won't apply to any of the source-available RADIUS servers. We don't even use attribute/value users files anymore. All our user information is stored in a more abstract intermediate format. I want to port the filter code to the most popular versions (Livingston 1.16, Merit, Ascend), but I don't have much free time. If anybody's interested in using these filters, or especially if you're interested in helping to port them to other servers, please let me know. I plan to deploy anti-spoofing filters throughout our access network before the end of September. Is anybody else running or planning to implement similar filters? regards, -- Robert
participants (1)
-
Robert Sanders