Re: Filtering ICMP (Was Re: SMURF amplifier block list)
Okay, so it's clear that we need to come up with some sort of sol'n to these kinds of problems. Here's my two cents: Don't block all of ICMP. Block pings and traceroutes if you think that it's going to make your life better, but please don't break anything else. We need a low-pain protocol to allow provider NOCs to check out a few salient things on their upstream provider's/peers routers -- e.g. which interface a particular spoofed packet is coming from, the IP address of the remote-side interface, etc., etc., all the way back to the source. This would allow provider NOCs to track this stuff down themselves. No more 6 hour phone calls to people with various degrees of clue/time/energy for a problem that may only occur for 15 minutes at a time, every 4 hours. It wouldn't be hard to jimmy this protocol (in case people care) such that you would ONLY be able to track back to a particular NOC's router if all of the inbetween-routers had "signed off" on the fact that what you're looking for (specific dst/src or packet type) had actually SHOWN UP on them as well. It wouldn't have to continuously check this -- just check once and PK-encrypt the timestamp into the signature on the authentication packet. Various timeouts could be configured by individual NOCs. (Yes, each NOC could have its own PK value -- but there would only have to be one per AS). Before everyone gets all hot and bothered about the suggestion that I'm making -- I'm not talking about arbitrary packet sniffing -- I'm talking about sniffing HEADERS on packets whose dst address (or packet type or whatever everyone agrees is significant) is inside the domain of the dst provider. Not a big deal. I really don't think that it's that much to give up -- hell, digex already allows me to dump their entire BGP table anytime I want -- i'm just talking about some very minimal tracking ability. Some companies, such as sprint, who may have hundreds of customers plugged into a single router, may not want to do this. But frankly, without this, we're all dependent upon the clue/time/energy of some guy who's busy doing his own thing, and we aren't guaranteed timely and accurate information. Actually, now that I think of it, you could almost jimmy this out of a few hours of PGP-wrapped SNMP-calling perl scripts listening to some fixed socket at some fixed (and published) IP address of each network provider. No reason to dick with the router code if no need to. What say ye? steve
participants (1)
-
Steve Uurtamo