Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
... buying screen doors for igloos may not be the best use of resources. uRPF doesn't actually prevent any attacks.
actually, it would. universal uRPF would stop some attacks, and it would remove a "plan B" option for some attack-flowcharts. i would *much* rather play defense without facing this latent weapon available to the offense.
Would you rather ISPs spend money to 1. Deploying S-BGP? 2. Deploying uRPF? 3. Respond to incident reports?
"yes." and i can remember being sick and tired of competing (on price, no less) against providers who couldn't/wouldn't do #2 or #3. i'm out of the isp business at the moment, but the "race to the bottom" mentality is still a pain in my hindquarters, both present and remembered.
actually, it would. universal uRPF would stop some attacks, and it would remove a "plan B" option for some attack-flowcharts. i would *much* rather play defense without facing this latent weapon available to the offense.
I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem to be non-existent these days so shall we stop disabling 'ip directed-broadcast' on our routers? Steve
On Sun, 7 Mar 2004, Stephen J. Wilcox wrote:
actually, it would. universal uRPF would stop some attacks, and it would remove a "plan B" option for some attack-flowcharts. i would *much* rather play defense without facing this latent weapon available to the offense.
I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem to be non-existent these days so shall we stop disabling 'ip directed-broadcast' on our routers?
smurf attacks are far from 'non-existent' today, however they are not as popular as in 1999-2000-2001. In fact netscan.org still shows almost 9k networks that are 'broken'.
On Sun, Mar 07, 2004 at 08:48:00PM +0000, Christopher L. Morrow wrote:
actually, it would. universal uRPF would stop some attacks, and it would remove a "plan B" option for some attack-flowcharts. i would *much* rather play defense without facing this latent weapon available to the offense.
I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem to be non-existent these days so shall we stop disabling 'ip directed-broadcast' on our routers?
smurf attacks are far from 'non-existent' today, however they are not as popular as in 1999-2000-2001. In fact netscan.org still shows almost 9k networks that are 'broken'.
A few of us tried (like netscan, only more agressively on a weekly basis) to find and try to get closed, smurf amplifiers in the RIPE region. We eventually gave up after closing ~20k, when the last few k refused to do anything at all. "My network is just a /30! Who cares, you're only getting TWO replies back for ONE packet, it's not like the big amplifiers! I'm not going to fix this!". To anyone with this attitude: You are an idiot. -- Avleen Vig Systems Administrator
smurf attacks are far from 'non-existent' today, however they are not as popular as in 1999-2000-2001.
thats interesting, i've not seen/heard of one for ages.. (guess u have a wider testing ground :)
In fact netscan.org still shows almost 9k networks that are 'broken'.
actually i just ran that file thro a quick awk and sort to see to what extent these networks exist.. as you can see almost all only reply two or three times, not like in the old days with >100 replies being commonplace.. 5224 2 1834 3 897 4 334 5 167 6 56 7 19 8 15 9 7 10 11 11 6 12 3 13 6 14 1 15 1 16 4 17 5 18 1 23 1 26 1 28 1 100
removed paul from the direct reply since his mailserver doesn't like uunet mail servers :) On Sun, 7 Mar 2004, Stephen J. Wilcox wrote:
smurf attacks are far from 'non-existent' today, however they are not as popular as in 1999-2000-2001.
thats interesting, i've not seen/heard of one for ages.. (guess u have a wider testing ground :)
just last week we had one... they do still happen.
In fact netscan.org still shows almost 9k networks that are 'broken'.
actually i just ran that file thro a quick awk and sort to see to what extent these networks exist..
as you can see almost all only reply two or three times, not like in the old days with >100 replies being commonplace..
Sure, but a list of 9k networks with this leve of response is still enough to do damage. It's getting better, no doubt about it but it's still a factor. --Chris (formerly chris@uu.net) ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## #######################################################
participants (4)
-
Avleen Vig -
Christopher L. Morrow -
Paul Vixie -
Stephen J. Wilcox