Automatic filtering - CISCO, you should think about this...
Hi CISCO :-) I know this isn't their list, but since most major network providers run their stuff, this is as good a place as any to talk about this. How about an interface keyword such as "auto-inbound-filter", which does this: At STARTUP and when the LOCAL route table changes (ie: "ip route xxx..." statements) the system looks at the interfaces, and the local static routes, and builds an accept list for that interface. The list is stored in a "reserved" set of system access lists. Add a parmaeter which can be turned on (ie: log) which would add "log" to the end of the filter lists, so that anyone TRYING to smurf will get logged This would totally automate the process of inbound filtering to prevent or severely limit smurf attacks. Since filters which are based only on the source address are relatively cheap for the router to process, this would likely not seriously burden anyone in their direct connections. I'd love to see something like this, and it would reduce the complaint that its "too hard to manage" such things. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex support on ALL modems Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
Karl Denninger writes...
How about an interface keyword such as "auto-inbound-filter", which does this:
At STARTUP and when the LOCAL route table changes (ie: "ip route xxx..." statements) the system looks at the interfaces, and the local static routes, and builds an accept list for that interface. The list is stored in a "reserved" set of system access lists.
Add a parmaeter which can be turned on (ie: log) which would add "log" to the end of the filter lists, so that anyone TRYING to smurf will get logged
This would totally automate the process of inbound filtering to prevent or severely limit smurf attacks.
Since filters which are based only on the source address are relatively cheap for the router to process, this would likely not seriously burden anyone in their direct connections.
I'd love to see something like this, and it would reduce the complaint that its "too hard to manage" such things.
How about having "no-auto-inbound-filter" instead, making the default in all new versions of IOS be to run this essential level of protection, providing a means to turn it off only for those who know they need to turn it off. -- Phil Howard | a6b5c8d2@spam4mer.org suck6it2@no90ads4.org stop6ads@anyplace.edu phil | w0x8y2z4@nowhere5.edu stop5ads@anyplace.org a3b4c7d6@dumbads3.org at | ads6suck@spam0mer.net end3ads1@no95ads2.net stop1ads@noplace2.org milepost | end5it79@no2where.net die3spam@s0p0a4m7.net eat05me6@dumbads3.org dot | end7ads9@no52ads9.edu ads5suck@no9place.net stop7074@lame9ads.edu com | no9spam1@lame5ads.org no94ads1@no96ads0.net stop5ads@nowhere7.net
cheap for the router to process, this would likely not seriously burden anyone in their direct connections.
I'd love to see something like this, and it would reduce the complaint that its "too hard to manage" such things.
How about having "no-auto-inbound-filter" instead, making the default in all new versions of IOS be to run this essential level of protection, providing a means to turn it off only for those who know they need to turn it off. It was proposed to CISCO about 1 year ago. But I have head they are doing something about this (through it's in private talks only).
-- Phil Howard | a6b5c8d2@spam4mer.org suck6it2@no90ads4.org stop6ads@anyplace.edu phil | w0x8y2z4@nowhere5.edu stop5ads@anyplace.org a3b4c7d6@dumbads3.org at | ads6suck@spam0mer.net end3ads1@no95ads2.net stop1ads@noplace2.org milepost | end5it79@no2where.net die3spam@s0p0a4m7.net eat05me6@dumbads3.org dot | end7ads9@no52ads9.edu ads5suck@no9place.net stop7074@lame9ads.edu com | no9spam1@lame5ads.org no94ads1@no96ads0.net stop5ads@nowhere7.net
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Alex P. Rudnev writes...
How about having "no-auto-inbound-filter" instead, making the default in all new versions of IOS be to run this essential level of protection, providing a means to turn it off only for those who know they need to turn it off. It was proposed to CISCO about 1 year ago. But I have head they are doing something about this (through it's in private talks only).
Once the appropriate management decides that a feature like this is a top priority, Cisco surely has the resources to get it implemented into IOS code, and tested, in perhaps 3 months and no less than 6 months. They clearly have other priorities. We need to push this one ahead, to the top. I'd even settle for having the function w/o a way to turn it off as an interim if the holdup is deciding how to make it configurable. We should all ask our Cisco sales people if "default auto-inbound-filter" will be in all shipped IOS versions by, say, 2Q98. If they can't say "yes" then grill 'em and leave the impression you'll be looking at other products in 2Q98. And if you have Ascend sales people calling, ask 'em the same thing. Same for anyone else. For example I have a 3com salesman constantly checking up on how happy I am with my Ascend MAX's. I know what I'll be asking him on his next phone call. -- Phil Howard | end1it83@lame9ads.com stop8ads@no75ads2.net crash161@noplace3.org phil | die0spam@spam6mer.net die4spam@spam7mer.com ads8suck@spammer5.com at | suck7it1@no7where.edu crash118@s2p8a9m5.net stop4578@spam0mer.net milepost | suck2it8@no31ads0.edu crash333@dumbads0.org stop2498@lame4ads.edu dot | ads1suck@no7where.com no5way77@s4p8a8m2.net end9ads3@lame9ads.net com | no1spam2@dumbads0.edu stop2410@spam4mer.org ads2suck@noplace5.edu
(hope this is being sent to the right nanog address) On Mon, Dec 29, 1997 at 08:24:49AM -0600, Phil Howard wrote: [about auto-inbound filter] IMHO, the best place for this sort of filter is on dialup servers, to stop the 31337 kode weenies with their little lunix boxen hosing around. This would be things like cisco's 5200 access servers, ascend's max and big ugly boxen (GRF?), livingston portmonsters and USR^H^H^H3COM total(ly out of)control. |We should all ask our Cisco sales people if "default auto-inbound-filter" |will be in all shipped IOS versions by, say, 2Q98. If they can't say "yes" |then grill 'em and leave the impression you'll be looking at other products |in 2Q98. my cisco sales person would need re-education first. |And if you have Ascend sales people calling, ask 'em the same thing. Same |for anyone else. For example I have a 3com salesman constantly checking up |on how happy I am with my Ascend MAX's. I know what I'll be asking him on |his next phone call. I asked USR for this feature back when we were just starting BETA testing of TC chassis. (March) Nothing since then. I believe I worded it like this: I'd like an automatic filter on my dialups that will drop anything that isn't sourced from an address that you have given it. Peter ----* -- O_u \\ U \Beh! \\
participants (4)
-
Alex P. Rudnev
-
Karl Denninger
-
Peter Evans
-
Phil Howard