Re: BCP38 making it work, solving problems
From owner-nanog@merit.edu Tue Oct 12 20:41:45 2004 Date: Wed, 13 Oct 2004 07:09:10 +0530 From: Suresh Ramasubramanian <suresh@outblaze.com> To: alex@yuriev.com Cc: Steven Champeon <schampeo@hesketh.com>, nanog@merit.edu Subject: Re: BCP38 making it work, solving problems
alex@yuriev.com [12/10/04 13:16 -0400]:
If I, and my little 7-man company, can afford to have me solve the problem on our end, why the heck can't you do the same?
You can do it because you are a 7-man company. So can I. However, companies the size of Sprint cannot do it.
Most filtering that I've seen (email, router, whatever) that just works great for a 7 man company will not work when you serve several million users, that's a fact.
Certain _basics_ *are* applicable, regardless of scale. e.g. perimeter filtering of inbound packets w/ RFC-1918 a _source_ address, except for specific ICMP status/response messages. e.g. perimeter filtering of inbound packets with a _source_ address that is in *your* assigned address-space. Some medium-big (and up) operators implement 'RFC-1918 source' filters on their gateways to the 'external internet', but *not* on their customer interfaces. Which means that one of their customers can be attacked via such means, by *another* of their customers. And, after the fact, they can't even tell =which= of their customers done the deed. Similarly, one customer can 'spoof' another customer of that same provider.
One false positive report per week from 7 users. How many per week - or per day - when you have 40 million users, is a question that gets answered real fast.
A lot of the bad filtering (or lack of filtering, for that matter) decisions I've seen at large network providers and ISPs is generally where they are also unresponsive to their users and to the internet community that reports stuff to them (quite a few places I could name where most role accounts seem to funnel straight to /dev/null)
srs
Some medium-big (and up) operators implement 'RFC-1918 source' filters on their gateways to the 'external internet', ...
maybe so. but i want to renew an old complaint, with updated numbers: # ipfw show ... 00400 57623404 3927757977 deny ip from 10.0.0.0/8 to any in 00500 139309999 11937839356 deny ip from 172.16.0.0/12 to any in 00600 35860354 2414549719 deny ip from 192.168.0.0/16 to any in 00700 6041138223 399700558975 pipe 1 udp from any to any dst-port 53 in 00800 29757298 1264366050 pipe 2 tcp from any to any dst-port 53 in ... those are rule#, packets, octets, and rule. on this f-root server which is one of about 50 although its routing placement causes it to hear more requests, usually, than most of the others, we see that since last reboot: 233M packets (18G octets) came from an RFC1918 source 6G packets (401G octets) came from non-RFC1918 sources i think it's fair to say that filtering RFC1918 source addresses on egress toward "the core" is not all that common. although i'm happy to report that both AOL and SBC now do it, and the above numbers havn't gotten as much worse as i expected they would in the time since my last complaint. # tcpdump -n -s 0 -c 10 udp port 53 and \ src net \( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 \) ... 16:45:06.164258 192.168.0.1.1030 > 192.5.5.241.53: \ 12540 A? x1.w00pie.nl. (30) 16:45:06.181960 172.16.160.2.53 > 192.5.5.241.53: \ 7929 A? NPIFF12B7.k12.nj.us. (37) 16:45:06.182641 10.8.1.16.1051 > 192.5.5.241.53: \ 15860 [1au] PTR? 98.239.71.156.in-addr.arpa. (55) 16:45:06.320755 192.168.230.161.1041 > 192.5.5.241.53: \ 3026 A? rsthost3.ods.org.cncc.com. (43) 16:45:06.339133 172.20.0.13.53 > 192.5.5.241.53: \ 27425 A? infopak.gov.pk. (32) 16:45:06.378595 10.1.100.51.53 > 192.5.5.241.53: 3217 A? PC00000737. (28) 16:45:06.394286 10.8.1.11.53 > 192.5.5.241.53: 8457 A? www.office.ac. (31) 16:45:06.394933 10.8.1.11.53 > 192.5.5.241.53: 6422 A? www.office.ac. (31) 16:45:06.395310 10.8.1.11.53 > 192.5.5.241.53: 288 A? www.office.ac. (31) 16:45:06.395803 10.8.1.11.53 > 192.5.5.241.53: 246 A? www.office.ac. (31) ... i've been wondering if it would be possible to track down these sources by looking at the query-names. i've also been wondering if ISC should have a peering agreement requiring peers to implement BCP38. -- Paul Vixie
participants (2)
-
Paul Vixie
-
Robert Bonomi