Firewall Wizards mailing list archives
RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd)
From: "LaPane, Mike" <MGL () para-protect com>
Date: Wed, 5 Apr 2000 10:48:15 -0400
I'd also like to add that ingress filtering is a good thing too. Egress is good protection to keep your site from being a DDoS site (it makes you a good netizen :) But, ingress will dump a lot of garbage on the floor. No, it won't protect you from everything, but you can drop all of the RFC1918 garbage on the floor. It will at least force someone to use real addresses to attack you (which you can then filter). As far as Cisco's go, this is really a no brainer on traffic impact (for the most part). Filtering on a 7500 with several FE line cards will kill it (in a very heavy environment), but, you don't necessarily want to filter on the core. Look at distribution routers/switches that collapse into the core. This will lighten the load on the edge routers to the Internet. Most of the big ISP's are running non-Cisco devices on the edge, so I won't comment on the overhead of filtering on say, a Juniper, Foundry, PacketEngine, etc. Although, most of these devices do ACL checks in ASICs, so I'll assume minimal processor overhead. As far as applying ACL's on the Cisco, you should really use TFTP (I know, an ugly word, but it's easy to write an ACL that restricts where the TFTP connections will be accepted), or use the console. It's far too easy to FUBAR the ACL that blocks you out when you're telnetted into the router (this sucks :) If you have flash cards on the router (depends on type of router), you can copy the config to the flash and apply it from the console without killing yourself. You may drop your telnet, but the config will load. Interesting that you point out the DSL/DOCSIS users, I see this as being the most difficult (not technically, just getting the providers to filter ;), might take an act of God to get people to do this. IMHO, you should filter on the inside interfaces (for egress), not on an outbound access-group on the "outside" interfaces. You don't want to waste any routing cycles on packets that should never leave your network. My 1 1/2 cents (value deflating as quickly as the stock market :) Cheers, -Mike -----Original Message----- From: Paul D. Robertson [mailto:proberts () clark net] Sent: Thursday, March 30, 2000 12:30 AM To: Andy Bach Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) On Wed, 29 Mar 2000, Andy Bach wrote:
Hey, SANS is requesting Internet-wide assistance w/ stopping DOS attack by reconfiguring routers. Anybody looked at the instructions/info and
seen
if it would work? http://www.sans.org/dosstep/index.htm
Egress filtering is widely agreed to be the best short-term fix for the attacks. At the least, it will make upstream filtering and launch point notification effective and easy. At the best, it will take spoofing out of the picutre. For extremely large sites with multiple colocation facilities, it doesn't take a large percentage of egress filters to made DDoS a non-event (I've seen numbers under 50% quoted, but I'm not sure of their validity.) If you're using Cisco routers, egress filters on the outbound interface should be "fast switched" and negligable under most circumstances- for the cases where your aggragate traffic is enough that that isn't the case, simply go back a node or two until it is :). It's not that painful to do, and well-worth doing since this tends to be one of those "you're either part of the problem or part of the solution" things. The SANS site has links to most anything anyone would need to get to the point where they're doing the right thing.
from contributing to the DOS threat. Tools will soon be publicly posted to determine which organizations have and have not protected their users and which ones have systems that still can be used as a threat to the rest of the community.
<Warning - vested interest time> Most probably (though I can't speak for SANS- so maybe that should be "hopefully") this is at least in part a reference to NetLitmus (Yes, the name sucks) which is available to anyone who signs up for the Internet Security Alliance, formed by ICSA.net recently in response to the same set of worries and issues [it's a free sign up for anyone who can reach http://www.icsa.net.] I'd expect that most readers of this list _don't_ really need a tool to determine if they have egress filters in place though (unless they don't own their border router or want to check those home DSL/cable providers) and want to check and see if their provider is doing the right thing (and hopefully encourage them to get on the right path if they aren't.) </vested interest>
More than 100 organizations in the SANS community have tested the guidelines, which were drafted by Mark Krause of UUNET with help from security experts at most of the other major ISPs and at the MITRE organization. The testing has improved them enormously. (A huge thank-you goes to the people who did the testing.)
Out of all of the guidelines, egress filtering is definitely the one the most people can do the quickest that will immediately solve the accountability problem when someone is getting DDoSed *and* allow their upstream to fliter the true source address while the problem is being fixed. If *your* network gets DDoSed, you'll *really* want this capability, but if you're one of the people on the sidelines not doing egress filtering, you won't have the luxury if there are more of you than there are of us who are doing responsible egress filtering. Egress filtering takes minutes to apply to any reasonable border router, *please* *please* *please* take the time to apply it to yours. If you can't make immediate production changes, please put it on the schedule under routine maintenance. [I've only used Cisco routers recently, so I'll just hit that] - as long as you make sure you have the permit for your address range in the rules before you apply them to the interface, there's no need to drop the router to apply the filters, no downtime and just don't forget to write mem. Kudos to Alan and SANS for stepping up to the plate and making noise about this now instead of waiting for the next set of attacks. Paul ------------------------------------------------------------------------ ----- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) Carson, Joe (Apr 10)
- <Possible follow-ups>
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) LaPane, Mike (Apr 10)