At 05:32 PM 10/2/96 -0400, Dima Volodin wrote:
Anyway, filtering packets with SRC addresses known to generate ICMP_UNREACH at the earliest possible stage might be a good idea.
Well, this is what we [collectively] have been talking about doing as a 'best current practice' since the attacks became evident. Also, see: [snip] A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Network Ingress Filtering Author(s) : P. Ferguson Filename : draft-ferguson-ingress-filtering-00.txt Pages : 6 Date : 10/01/1996 Recent occurrences of various Denial of Service attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective and straightforward method for using ingress traffic filtering to deny attacks which use "invalid" source addresses; prefixes which are not being legitimately advertized to the Internet via a particular service provider gateway. [snip] Once the document is revised to an acceptable [rough consensus] draft, I'd like to see it become published as a BCP. - paul
In the same document: 4. Liabilities [...] Also, while ingress filtering drastically reduces the success of source address spoofing, it does not preclude an attacker using a forged source address of another host within the permitted prefix filter range. I.e. a single compromised host in the "permitted prefix filter range" can cause as much trouble as the current attacks. Granted, it's a bit easier to track down a host like this, but eliminating the majority of compromisable hosts is even more difficult than global implementation of the cited document. The bitter irony is that non-implementation of this draft will most probably corelate with presence of compromisable hosts. Thus host-(and firewall-)based solutions are at least as important as the ingress filtering. As of the evidence of these attacks - they were evident long before the current talking. Dima Paul Ferguson writes:
[...] Well, this is what we [collectively] have been talking about doing as a 'best current practice' since the attacks became evident.
Also, see:
[snip]
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Network Ingress Filtering Author(s) : P. Ferguson Filename : draft-ferguson-ingress-filtering-00.txt Pages : 6 Date : 10/01/1996 [...]
participants (2)
-
dvv@sprint.net
-
Paul Ferguson