At 10:43 PM 7/8/96 -0400, Todd Graham Lewis wrote:
If you have a very restrictive security policy, then you might want to place a packet filter on all outgoing traffic. If your network is 10.1.1.64/26, then you might have the following two rules:
action source destination ------ ------ -----------
allow 10.1.1.64/26 * deny * *
Of course, no one does this, because it is very time consuming for your router to examine every packet in this way. This translates into more marginal cost on your hardware for very little return.
Say that person X, the person who owns the network from which these pings are apparently originating, did have such a filter. What does this do? It proves that the packets are not originating on his network. Does it stop anyone else from forging these packets? No.
Actually it doesn't prove that. The filter would /allow/ the pavckets to pass through the router since they were coming from one of his networks. If everyone else on the planet had such a rule it would prove that it /was/ coming from him. Justin Newton Internet Architect Erol's Internet Services
If you have a very restrictive security policy, then you might want to place a packet filter on all outgoing traffic. If your network is 10.1.1.64/26, then you might have the following two rules: [...] Say that person X, the person who owns the network from which these pings are apparently originating, did have such a filter. What does this do? It proves that the packets are not originating on his network. Does it stop anyone else from forging these packets? No.
Actually it doesn't prove that. The filter would /allow/ the pavckets to pass through the router since they were coming from one of his networks. If everyone else on the planet had such a rule it would prove that it /was/ coming from him.
It doesn't prevent someone at another ISP from doing that sort of attack, but it does prevent that sort of attack from origionating at your site using faked source addresses to cause someone else problems tracking it down. It's not a defense for you per se, it's a defense for the rest of the net from you. Responsible net citizenship and all that... -george william herbert gherbert@crl.com
Personally, I use the configuration script listed below on my internet-facing interface. This guarantees that all packets coming into my net are tagged with a source address OUTSIDE my net, and are bound for a host inside my net. Likewise, outbound packets MUST have an origin inside my net. This protects me from address spoofing from the rest of the net, and protects the rest of the net from my users. I've got similar filters on all of my customer-facing interfaces. -forrestc@imach.com -- Start of Included File -- ! ! Configuration Script for IP Filtering on Internet-facing interface ! 101 is inbound ! 102 is outbound ! int s 0 no ip access-group 101 in no ip access-group 102 out exit no access-list 101 access-list 101 deny ip 204.94.230.0 0.0.1.255 any access-list 101 deny ip 204.182.240.0 0.0.15.255 any access-list 101 deny ip 199.5.171.0 0.0.0.255 any access-list 101 deny ip 199.5.172.0 0.0.0.255 any access-list 101 deny ip 205.166.211.0 0.0.0.255 any access-list 101 deny ip 206.127.64.0 0.0.63.255 any access-list 101 deny ip 206.58.180.0 0.0.1.255 any access-list 101 deny ip 206.58.182.0 0.0.0.255 any access-list 101 permit ip any 204.94.230.0 0.0.1.255 access-list 101 permit ip any 204.182.240.0 0.0.15.255 access-list 101 permit ip any 199.5.171.0 0.0.0.255 access-list 101 permit ip any 199.5.172.0 0.0.0.255 access-list 101 permit ip any 205.166.211.0 0.0.0.255 access-list 101 permit ip any 206.127.64.0 0.0.63.255 access-list 101 permit ip any 206.58.180.0 0.0.1.255 access-list 101 permit ip any 206.58.182.0 0.0.0.255 no access-list 102 access-list 102 permit ip 204.94.230.0 0.0.1.255 any access-list 102 permit ip 204.182.240.0 0.0.15.255 any access-list 102 permit ip 199.5.171.0 0.0.0.255 any access-list 102 permit ip 199.5.172.0 0.0.0.255 any access-list 102 permit ip 205.166.211.0 0.0.0.255 any access-list 102 permit ip 206.127.64.0 0.0.63.255 any access-list 102 permit ip 206.58.180.0 0.0.1.255 any access-list 102 permit ip 206.58.182.0 0.0.0.255 any int s 0 ip access-group 101 in ip access-group 102 out exit -- End of Included File ---
participants (3)
-
Forrest W. Christian
-
George Herbert
-
Justin W. Newton