Re: improved synflood protection & detection

[gert () GREENIE MUC DE (Gert Doering)]

Hi,

VaX#n8 wrote:
[..]
> Consulting
> <URL:ftp://ftp.isi.edu/in-notes/iana/assignments/ipv4-address-space>
> one finds that there are several classes of reserved addresses,
> distinct from the private addresses codified in the related RFCs:
[..]
> It may be worthwhile to generate list of all address blocks not
> recently routed and construct a filter based on those.

This list will be very large due to the highly fragmented nature of 192/8,
for example, and will be ever-changing.

As long as there is no automatized way to generate this list, for example
by a routing registry like "whois.ra.net", but more complete and better
authenticated against erroneous objects, this is doomed to fail due to
high maintenance efforts.

On the other hand, I can only urge every internet service provider out
there to carefully read RFC2267 ("Network Ingress Filtering") and apply
strong filters to all customer lines.  After all, you KNOW very exactly
which IP addresses this customer is using (you route them to him), so
you can easily filter all packets with other source addresses.

While this won't immediately have any benefits to your network, it has
enormous benefits to everybody else -- they can't be attacked by your
customers any more.  (Thanks to Alan Cox for pointing this out to me, and
to Paul Ferguson for writing the RFC about it!).

gert

--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert () greenie muc de
fax: +49-89-35655025                        gert.doering () physik tu-muenchen de