Vulnerability Development mailing list archives
Re: Automatic antispoofing rules on access servers.
From: Jeffrey Karpenko <Jeffrey.Karpenko () RHIGROUP COM>
Date: Wed, 20 Sep 2000 08:47:01 -0400
Tekkers: I recently looked into a situation at my workplace where the internal firewall dropped a group of NBT packets with a source and destination IP Address not within our network range. In fact the Source was sending to a Destination within its own network, so how did those packets even make it out to the Internet? <shrug>. Wondering how we had the packets delivered to our Internet router, baffled me. I can only assume by spoofing! (They didn't look like a broadcast to me.) I called UUNET, our service provider, and inquired about the strange packets. They weren't much help. I then called Cisco as we have two routers before the internal firewall, one being a PIX. At this time, Cisco does not know how these packets got through the PIX and they went through each line of my config. I finally told Cisco I would set up a Sniff Trigger to capture the packets if it happened again. The case remains open. I then looked into Ingress Filtering. Ingress Filtering checks to see if the path used to get to you is the shortest path. (If I am missing something please inform.) I called UUNET and requested Ingress Filtering on our "T Lines". I was directed to security where they told me they do not support Ingress Filtering because eventually it would effect the performance of other customers. By this they mean that before long everyone would want Ingress Filtering turned on and the switch would suffer because of the extra load. They suggest turning Ingress Filtering on locally to their customers. I then turned it on in the PIX config . . . ( ip verify reverse-path interface outside ). This filter can be turned on for each interface. Turning it on for the "inside" interface would be called Egress Filtering and would prevent spoofs headed out from within your own network. Turning on Ingress Filtering locally however, does not prevent packets from the Internet from hitting my PIX. This would mean that a DoS could be possible by flooding the Bandwidth of the T from UUNET. To prevent such a DoS one would need to be familiar with the normal usage percentage of the lines bandwidth. Having a Network Monitoring software setup to alarm when the percentage is exceeded. UUNET will, upon proof of such an attack, temporarily turn on Ingress Filtering to stop the activity. I guess if someone wanted to take the time, they could gradually increase the bandwidth usage of a line, being careful not to flood it, causing the target company to have to pay more money to their Service Provider for bandwidth usage. Hmmm. Jeffrey -----Original Message----- From: Ryan Permeh [mailto:Ryan () EEYE COM] Sent: Tuesday, September 19, 2000 1:42 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Automatic antispoofing rules on access servers. although this is a neat idea, placing antispoofing rules on your border acheives thew same level of protection at a much lower administrative cost. i used to work at an isp, and puting together possibly thousands antispoofing rules by hand in an understaffed, undertechnical environment is a hard thing to do. Especcially in the isp aquisition climate where your netblocks may not be the same for a while. If we got people to shut off broadcasts(at least icmp, if not all) and spoofing at the borders it would help a whole lot. PS: this doesn't just apply to isp's. there are schools and buisnesses that are just as guilty (and sometimes have just as big networks). Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () POP JARING MY> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Monday, September 18, 2000 7:50 PM Subject: Automatic antispoofing rules on access servers.
I believe antispoofing filters won't really use up much CPU. So probably one of the main reasons ISPs don't use them at their access servers is the administrative cost in maintaining the rules. However I recently noticed that Cisco has a feature which seems to make this simpler to do.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121
t/121t2/rpf_plus.htm Do other major router/access server manufacturers have similar features? If such features were more widely used, smurfing and spoofing stuff would be a lot more difficult than it is now. Are there any problems which would discourage use by ISPs? Cheerio, Link.
Current thread:
- Re: Automatic antispoofing rules on access servers. LOS Ralph (Sep 19)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)
- Re: Automatic antispoofing rules on access servers. Crist Clark (Sep 20)
- <Possible follow-ups>
- Re: Automatic antispoofing rules on access servers. Jeffrey Karpenko (Sep 20)
- Re: Automatic antispoofing rules on access servers. Leon Rosenstein (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)