At 09:33 PM 4/13/98 -0700, Vadim Antonov wrote:
You're right, silly me.
--vadim
Forrest W. Christian <forrestc@iMach.com> wrote:
On Mon, 13 Apr 1998, Vadim Antonov wrote:
Uh. Just modify BGP routes from that feed to have a next hop pointing to a black hole. route-maps are sometimes useful.
Could someone PLEASE explain to me how this is accomplished?
Let's assume that you do use a route-map to set next hop to a null interface or a black hole or something for a prefix. AND set local pref appropriately so that route gets preferred.
You now have a routing entry which essentially says:
"forward packets DESTINED FOR the evil network to the black hole".
What you really want is a routing entry which says:
"forward packets FROM the evil network to the black hole".
Now, if someone could enlighten me to a way which you can get BGP to make a routing/filter entry to do this second one, I'd be most grateful.
Why wouldn't this work (on IOS 11.3 at least): a) pick an unused interface (shutdown): inter s0/2 ip address 192.168.1.5 255.255.255.252 shutdown ip route 192.168.1.0 255.255.255.0 Null0 254 b) Say the spammer is 220.88.182.128/27: access-list 20 permit 220.88.182.128 0.0.0.31 route-map spam-filter permit 10 match ip address 20 set ip default next-hop 192.168.1.6 c) On your Fast Ethernet - or whatever interface you use to feed pkts to your outgoing lines: int fa1/0 ip policy route-map spam-filter All outgoing pkts to 220.88.192.128/27 now should go to Null0. I am sure one can improve on the logic even more. -Hank
On Tue, 14 Apr 1998, Hank Nussbacher wrote:
All outgoing pkts to 220.88.192.128/27 now should go to Null0. I am sure one can improve on the logic even more.
Exactly. All OUTGOING packets. Not Incoming. Not the smurf attack packets which are swamping your downstream customer, which have a source address from 220.88.192.128/27. I will concede that shutting off connectivity to a site by a large enough chunk of the net should get someone to fix stuff.... But part of the advantage of the MAPS RBL BGP feed is that it helps to cut down spam coming into your network. A BGP feed TODAY won't block a ping amplification attack aimed at your network or a downstream. All it will do is prevent your customers from using the ping amplification networks to launch an attack. And, if you have the appropriate anti-spoofing filters in place, they shouldn't be able to attack anything other than the valid source addresses you have in your outbound filter set. - Forrest W. Christian (forrestc@imach.com) ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------
Why not just block them at your interface with an access-list (firewall) filter? On Tue, 14 Apr 1998, Forrest W. Christian wrote: :On Tue, 14 Apr 1998, Hank Nussbacher wrote: : :> All outgoing pkts to 220.88.192.128/27 now should go to Null0. I am sure :> one can improve on the logic even more. : :Exactly. All OUTGOING packets. Not Incoming. Not the smurf attack :packets which are swamping your downstream customer, which have a source :address from 220.88.192.128/27. : :I will concede that shutting off connectivity to a site by a large enough :chunk of the net should get someone to fix stuff.... But part of the :advantage of the MAPS RBL BGP feed is that it helps to cut down spam :coming into your network. A BGP feed TODAY won't block a ping :amplification attack aimed at your network or a downstream. All it will :do is prevent your customers from using the ping amplification networks to :launch an attack. And, if you have the appropriate anti-spoofing filters :in place, they shouldn't be able to attack anything other than the valid :source addresses you have in your outbound filter set. : :- Forrest W. Christian (forrestc@imach.com) :---------------------------------------------------------------------- :iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com :Solutions for your high-tech problems. (406)-442-6648 :---------------------------------------------------------------------- : : -- Regards, Jason A. Lixfeld jlixfeld@idirect.ca iDirect Network Operations jlixfeld@torontointernetxchange.net --------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------
:I will concede that shutting off connectivity to a site by a large enough :chunk of the net should get someone to fix stuff.... But part of the :advantage of the MAPS RBL BGP feed is that it helps to cut down spam :coming into your network. A BGP feed TODAY won't block a ping :amplification attack aimed at your network or a downstream. All it will :do is prevent your customers from using the ping amplification networks to :launch an attack. And, if you have the appropriate anti-spoofing filters :in place, they shouldn't be able to attack anything other than the valid :source addresses you have in your outbound filter set.
MAPS RBL BGP feed blocks all traffic back to a given network, after a spamming event. It doesn't do too much to stop an in progress event, since it doesn't respond that quickly with updates. (part [most?] of the delay is Vixie's investigation) Its effective because it puts a lot of pressure on networks that hosts spammers to make sure it doesn't happen again. Thus, it tends to reduce spam. Likewise, a Smurf BGP feed won't stop an in-progess attack, but it will put a lot of pressure on smurfable networks to make sure they aren't smurfable in the future. And thats a pretty good tool, even if its not 100% effective. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
participants (4)
-
Dean Anderson
-
Forrest W. Christian
-
Hank Nussbacher
-
jlixfeld@idirect.ca