RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd)

["LaPane, Mike" <MGL () para-protect com>]

I'd also like to add that ingress filtering is a good thing too. Egress
is good protection to keep your site from being a DDoS site (it makes
you a good netizen :) But, ingress will dump a lot of garbage on the
floor. No, it won't protect you from everything, but you can drop all of
the RFC1918 garbage on the floor. It will at least force someone to use
real addresses to attack you (which you can then filter).

As far as Cisco's go, this is really a no brainer on traffic impact (for
the most part). Filtering on a 7500 with several FE line cards will kill
it (in a very heavy environment), but, you don't necessarily want to
filter on the core. Look at distribution routers/switches that collapse
into the core. This will lighten the load on the edge routers to the
Internet.

Most of the big ISP's are running non-Cisco devices on the edge, so I
won't comment on the overhead of filtering on say, a Juniper, Foundry,
PacketEngine, etc. Although, most of these devices do ACL checks in
ASICs, so I'll assume minimal processor overhead.

As far as applying ACL's on the Cisco, you should really use TFTP (I
know, an ugly word, but it's easy to write an ACL that restricts where
the TFTP connections will be accepted), or use the console. It's far too
easy to FUBAR the ACL that blocks you out when you're telnetted into the
router (this sucks :)

If you have flash cards on the router (depends on type of router), you
can copy the config to the flash and apply it from the console without
killing yourself. You may drop your telnet, but the config will load.

Interesting that you point out the DSL/DOCSIS users, I see this as being
the most difficult (not technically, just getting the providers to
filter ;), might take an act of God to get people to do this. 

IMHO, you should filter on the inside interfaces (for egress), not on an
outbound access-group on the "outside" interfaces. You don't want to
waste any routing cycles on packets that should never leave your
network.

My 1 1/2 cents (value deflating as quickly as the stock market :)

Cheers,

-Mike

-----Original Message-----
From: Paul D. Robertson [mailto:proberts () clark net]
Sent: Thursday, March 30, 2000 12:30 AM
To: Andy Bach
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] SANS Flash: Urgent Request For Help In Stopping
DOS Attacks (fwd)


On Wed, 29 Mar 2000, Andy Bach wrote:

> Hey,
>
> SANS is requesting Internet-wide assistance w/ stopping DOS attack by 
> reconfiguring routers.  Anybody looked at the instructions/info and
seen 
> if it would work?
> http://www.sans.org/dosstep/index.htm 

Egress filtering is widely agreed to be the best short-term fix for the
attacks.  At the least, it will make upstream filtering and launch point
notification effective and easy.  At the best, it will take spoofing out
of the picutre.  For extremely large sites with multiple colocation
facilities, it doesn't take a large percentage of egress filters to made
DDoS a non-event (I've seen numbers under 50% quoted, but I'm not sure
of
their validity.)

If you're using Cisco routers, egress filters on the outbound interface
should be "fast switched" and negligable under most circumstances- for
the
cases where your aggragate traffic is enough that that isn't the case,
simply go back a node or two until it is :). It's not that painful to
do,
and well-worth doing since this tends to be one of those "you're either
part of the problem or part of the solution" things.

The SANS site has links to most anything anyone would need to get to the
point where they're doing the right thing.

> from contributing to the DOS threat.  Tools will soon be
> publicly posted to determine which organizations have and have
> not protected their users and which ones have systems that 
> still can be used as a threat to the rest of the community.

<Warning - vested interest time>

Most probably (though I can't speak for SANS- so maybe that should be
"hopefully") this is at least in part a reference to NetLitmus (Yes, the
name sucks) which is available to anyone who signs up for the Internet
Security Alliance, formed by ICSA.net recently in response to the same
set
of worries and issues [it's a free sign up for anyone who can reach
http://www.icsa.net.]  I'd expect that most readers of this list _don't_
really need a tool to determine if they have egress filters in place
though (unless they don't own their border router or want to check those
home DSL/cable providers) and want to check and see if their provider is
doing the right thing (and hopefully encourage them to get on the right
path if they aren't.)

</vested interest>

> More than 100 organizations in the SANS community have tested
> the guidelines, which were drafted by Mark Krause of UUNET with
> help from security experts at most of the other major ISPs and 
> at the MITRE organization. The testing has improved them 
> enormously. (A huge thank-you goes to the people who did the 
> testing.)

Out of all of the guidelines, egress filtering is definitely the one the
most people can do the quickest that will immediately solve the
accountability problem when someone is getting DDoSed *and* allow their
upstream to fliter the true source address while the problem is being
fixed.  If *your* network gets DDoSed, you'll *really* want this
capability, but if you're one of the people on the sidelines not doing
egress filtering, you won't have the luxury if there are more of you
than
there are of us who are doing responsible egress filtering.

Egress filtering takes minutes to apply to any reasonable border router,
*please* *please* *please* take the time to apply it to yours.  If you
can't make immediate production changes, please put it on the schedule
under routine maintenance.  [I've only used Cisco routers recently, so
I'll just hit that] - as long as you make sure you have the permit for
your address range in the rules before you apply them to the interface,
there's no need to drop the router to apply the filters, no downtime and
just don't forget to write mem.  

Kudos to Alan and SANS for stepping up to the plate and making noise
about
this now instead of waiting for the next set of attacks.


Paul
------------------------------------------------------------------------
-----
Paul D. Robertson      "My statements in this message are personal
opinions
proberts () clark net      which may have no basis whatsoever in fact."
 
PSB#9280