nanog mailing list archives
Re: Ping flooding
From: avg () ncube com (Vadim Antonov)
Date: Thu, 11 Jul 1996 13:00:29 +0800
That's once again a matter of defaults -- routers should _by default_ discard all packets from interfaces which they won't use for forwarding those packets back.
This is a sweeping statement.
Note that _by default_ implies that there's a way to override it. Now, in practically all LANs and corporate networks paths are symmetrical unless something is misconfigured. Forceful prevention of asymmetrical paths is the Good Thing, then -- that allows to identify problems before something crashes. All single-homed customers of ISPs also have tail-link part of their paths symmetrical; and forced rejection of wrong source addresses brings no harm and allows to prevent a lot of damage caused by malicious attacks or simply misconfigured machines. Backbones use asymmetrical routing a lot, they also have a skilled personnel (well, usually) who would know how to disable the backward-path checks when necessary.
1. Prevention of IP spoofing.
Yes.
2. Prevention of asymmetric routing.
Not. Backbones have to have asymmetry, in general case, if you want to compress routing information.
3. Better TCP windowing and better performance when all packets follow the same path.
Not really. TCP mostly cares about round-trip, not timing of forward and backward paths.
However, are the benefits worth the overhead?
That's not significant, as such filtering is done at tail-link routers, which are not overloaded (generally).
What are the effects on network redundancy?
Does limiting ability to do hard-to-trace denial of service attacks count as improving network redundancy?
What other issues am I overlooking?
Inertia. Even obviously Good Things like doing persistent static routing by default aren't getting deployed, although the current cisco's default of "floating" static routes is the #1 contributor to route flap. Does any major ISP override the default by adding "backup" routes to Null0 in a systematic way? I think not. In the same vein, how many people don't forget to add "no ip proxy-arp" to their interface definitions? I know quite a few who were bitten by forgetting about that default. Or take interfaces being active (and listening!) to routing updates by default, or silly recommendations in manuals, or ... (you continue, the list is nearly endless). The Rules of Safe (and Reliable) Networking are: 1) Disable All Features You Don't Need. 2) Don't Do Any Dynamic Routing Where Only One Path Exists. 3) Do Not Allow Packets To Go To Where They Are Not Supposed To Go To And Come From Where They Aren't Supposed To Come From. (The short form of that maxim is "Filter!".) 4) Don't Accept Suspicious Routes And Watch What You're Announcing. (The short form of that maxim is also "Filter!"). 5) K.I.S.S. 6) Don't Trust Anyone. Unfortunately the feature-happy router vendors do everything to make following those rules very hard by enabling virtually everything by default and so encouraging users to shoot themselves in the feet. I.e. to _disable_ stuff you need to be an expert and know what it does! Most simply don't bother. --vadim - - - - - - - - - - - - - - - - -
Current thread:
- Re: Ping flooding George Herbert (Jul 08)
- <Possible follow-ups>
- Re: Ping flooding Rob Gutierrez (Jul 09)
- Re: Ping flooding Perry E. Metzger (Jul 10)
- Re: Ping flooding Vadim Antonov (Jul 09)
- Re: Ping flooding Jerry Anderson (Jul 11)
- Re: Ping flooding Brett D. Watson (Jul 10)
- Re: Ping flooding Vadim Antonov (Jul 11)
- Re: Ping flooding Alan Hannan (Jul 11)
- Re: Ping flooding Per Gregers Bilse (Jul 11)
- Routing flaps, was Re: Ping flooding Forrest W. Christian (Jul 12)
- Re: Ping flooding Alan Hannan (Jul 11)
- Re: Ping flooding Bradley J. Passwaters (Jul 11)
- Re: Ping flooding Paul Ferguson (Jul 11)
- Re: Ping flooding Alan Hannan (Jul 11)
- Re: Ping flooding Jerry Anderson (Jul 12)
- Re: Ping flooding Vadim Antonov (Jul 11)
- Re: Ping flooding Vern Paxson (Jul 11)
- Re: Ping flooding Jeffrey Burgan (Jul 12)