It is more of a case of at all. My associates feel that if a downstream ISP pissed someone off, it is their problem to solve, not ours. We do filter traffic not destined for our IP space at our borders, but, for the same reasons you stated, do nothing outbound, except on our BGP sessions where we don't want certain netblocks routed in the Internet. My concern is, if a perpetrator is persistent enough, he can write a ping flood program that uses some obscure ICMP type that is rarely used, say net-tos-redirect, and get in that way. Even if we were to block ICMP completely, which would take away source-quench, he could use UDP, or perhaps even TCP syn floods and the like to get at this guy. Either way, it is a difficult situation. Moreover, it is difficult to trace this stuff back through, because I have to get every ISP, NSP, etc, etc involved in order to trace spoofed IP addresses. Ho do you block spoofed IP addresses? I am already blocking ICMP redirects and IP source routed packets. Is there a better way, or should I just tell my customer to deal? I want to prevent this from consuming my bandwidth as well. Thanks! -Chris Deepak Wrote Are you trying to avoid a precedent of filtering at all or just filter at a whim? I don't think its really possible nowadays to be responsible and not do _any_ filtering. I'd love to be able to not, but sometimes we have to. We also block source routed packets at our borders. We filter all inbound traffic to make sure it is destined for IPs that we route for (we can't filter outbound both by policy and technical difficulty). -Deepak. On Wed, 25 Mar 1998, Martin, Christian wrote:
That is what I am going to do. But with over 100 downstream customers, and IOS 11.1 (sans named access lists) I don't want to start a precedent.
Thanks!
On Wed, 25 Mar 1998, Jain Depak Wrote
Why not just filter all ping traffic to his T1 until the attack subsides?
-Deepak.
On Wed, 25 Mar 1998, Martin, Christian wrote:
Hello All,
I have a customer who is being ping-flooded. His bandwidth is being sucked up due to these floods, and wishes me to block them on my router. I am somewhat reluctant to do this, since it goes against our policy; however, the customer has been very patient with us on this issue and his patience is running out.
I would be implementing on a Cisco 7507, with 3 T-3s to the Internet, and the customer hangs off the router on a T-1. What is the general consensus on providing such a service, particularly in terms of processing overhead and manageability. Is there another way to prevent this type of attack, aside from watching packets go by and trying to trace it back through the source. The source IPs are spoofed.
Thanks! Christian Martin
On Wed, Mar 25, 1998 at 08:41:27PM -0500, Martin, Christian wrote:
It is more of a case of at all. My associates feel that if a downstream ISP pissed someone off, it is their problem to solve, not ours. We do
It's not always the ISP's fault... and while they should be the ones ultimately responsible for protecting themselves against DoS attacks, if a downstream of ours had a similar problem and came to us for aid, we would probably at least make some attempt to help them get the problem solved. I think there is a way to block spoofed addresses on the 75xx series, but as I am not the Cisco/IOS expert here, I'm not sure exactly what it is. I am going to check with the boss and if he has an answer I will present it here. -- Steve Sobol, Tech Support Guru, NACS.NET [http://www.nacs.net/support] (The address I use on Usenet is a valid address - don't try to unmunge it!) Moderator, alt.religion.afterburner [http://antispam.nstc.com/ara] 1997 AL and 1998 World Series Champions: [http://www.indians.com]
Hey Martin - is the address that is spoofed - one of your allocations - cuz you can inbound filter internal addresses and apply the acl to the HSSI's on your 7500 series (if that is what is being spoofed) -- I am nothing if not net-Q! - ras@poppa.clubrich.tiac.net
participants (3)
-
Martin, Christian
-
Rich Sena
-
Steve Sobol