Re: SYN floods (was: does history repeat itself?)
At 04:37 AM 9/13/96 -0400, Alexis Rosen wrote:
Alex.Bligh writes:
I think you are talking about filtering inbound packets to your router and restricting them to BGP announcements (I don't think Avi was - see below). This would be done on the destination address (checking it was within your announced route set) and thus doesn't help protect against spoofed source addresses.
No, Justin's talking about filtering _customers'_ packets at Justin's border with the customer. No BGP involved. This assumes customers that are not providers (ie, no transit for other nets through the customer). Good enough if all providers do the right thing (or if almost all do).
What Justin meant about his BGP announcements was that a customer's packet is legal IFF Justin's announcing that packet's net by BGP (on _behalf_ of the customer, not _to_ the customer). Again, customer means a site that's not a BGP peer.
Actually what Justin was talking about is as follows... Justin will only allow packets out of his border routers /to/ peers if they are packets with a source address inside the ranges of addresses he announces via BGP. I.e. if I announce 192.1.1.0 0.0.0.255 I would allow a packet with an address of 192.1.1.1 out of my network into "the net at large" but not if the packets source address was 192.1.2.1. I will allow any packet which I allow to enter my network into a customer's network. Their filtering is their problem. Justin Newton Internet Architect Erol's Internet Services
"Justin W. Newton" <justin@erols.com>:
Actually what Justin was talking about is as follows...
Justin will only allow packets out of his border routers /to/ peers if they are packets with a source address inside the ranges of addresses he announces via BGP. I.e. if I announce 192.1.1.0 0.0.0.255 I would allow a packet with an address of 192.1.1.1 out of my network into "the net at large" but not if the packets source address was 192.1.2.1. I will allow any packet which I allow to enter my network into a customer's network. Their filtering is their problem.
... and the broken case I was talking about was (e.g.) where you announce your AS-MACRO or whatever to peer routers A, B, C accross a NAP but also annouce full routing (for say backup transit) to D. Let's say for simplicity 192.1.1.0 is your only announcement to peers (small network :-) ). So you would have to filter outgoing packets to A-C differently than those to D (as they might legitimately have source addresses from within the internet at large and be destined for D). You could do this on (say) IP address of next hop. But let's say D transits B, and doesn't have next-hop-self switched on. Then packets from source addresses from internet at large which were destined for B, which would legitimately be passing out of your i/f towards B would get filtered. Fine, so you could force them to use next-hop-self, or use the IP address of the BGP peer concerned to do the filtering on. But this wouldn't work with the RAs. This is a problem whenever you are providing customer facing services (in the broadest sense, i.e. transit) out of the same i/f as peer services. OK, so you decide that *either* the source or the destination address has to be within your 'peer' announcement (i.e. the packet has to either be going to one of your networks (in this case including D's who you are transitting) or coming from one of your networks (also incl. D)). Well fine, but if you blur the transit / peer distinction further we get down to a situation where you are essentially routing on source address as well as destination address. Not really very maintainable. Alex Bligh Xara Networks
-->... and the broken case I was talking about was (e.g.) where you announce -->your AS-MACRO or whatever to peer routers A, B, C accross a NAP but -->also annouce full routing (for say backup transit) to D. Let's say -->for simplicity 192.1.1.0 is your only announcement to peers (small -->network :-) ). So you would have to filter outgoing packets to A-C -->differently than those to D (as they might legitimately have source -->addresses from within the internet at large and be destined for D). -->You could do this on (say) IP address of next hop. But let's say D -->transits B, and doesn't have next-hop-self switched on. Then packets from -->source addresses from internet at large which were destined for B, which -->would legitimately be passing out of your i/f towards B would get filtered. -->Fine, so you could force them to use next-hop-self, or use the IP -->address of the BGP peer concerned to do the filtering on. But this -->wouldn't work with the RAs. --> -->This is a problem whenever you are providing customer facing services -->(in the broadest sense, i.e. transit) out of the same i/f as peer -->services. OK, so you decide that *either* the source -->or the destination address has to be within your 'peer' announcement -->(i.e. the packet has to either be going to one of your networks -->(in this case including D's who you are transitting) or coming -->from one of your networks (also incl. D)). Well fine, but if -->you blur the transit / peer distinction further we get down -->to a situation where you are essentially routing on source address -->as well as destination address. Not really very maintainable. --> -->Alex Bligh -->Xara Networks --> --> What about the case where a customer knows your topology, and knowsof a valid address that isn't alive, and possibly never would be. In order to really squelch this problem, you'd have to filter at the point of the network where the customer connects to you, at your termination device, otherwise a customer could successfully attack another network on the assumption that you aren't filtering down to the nose. From what I've read, these type attacks could be spotted because the source port changes sequentially, although this wouldn't be hard to change. If you constructed a device to detect and correct these type situations, if it were between your backbone and your customers, this might work. If your router logs via syslog bgp updates debugging, then the device could dynamically decide to forward or deny packets based on source or destination or whatever you like. With a fast enough machine, this shouldn't be a performance hit, and it takes a heavy load off the borders from doing packet filtering. But if you filter at your termination point, you do not need to worry about generating attacks, and with the makeshift box acting as a router, you are protected from inbound attacks. Does this sound too impractical? -- ------------------------------------------- | Jeremy Hall Network Engineer | | ISDN-Net, Inc Office +1-615-371-1625 | | Nashville, TN and the southeast USA | | jhall@isdn.net Pager +1-615-702-0750 | -------------------------------------------
participants (3)
-
Alex.Bligh -
Justin W. Newton -
Mr. Jeremy Hall