Firewall Wizards mailing list archives
Re: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd)
From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 30 Mar 2000 00:29:36 -0500 (EST)
On Wed, 29 Mar 2000, Andy Bach wrote:
Hey, SANS is requesting Internet-wide assistance w/ stopping DOS attack by reconfiguring routers. Anybody looked at the instructions/info and seen if it would work? http://www.sans.org/dosstep/index.htm
Egress filtering is widely agreed to be the best short-term fix for the attacks. At the least, it will make upstream filtering and launch point notification effective and easy. At the best, it will take spoofing out of the picutre. For extremely large sites with multiple colocation facilities, it doesn't take a large percentage of egress filters to made DDoS a non-event (I've seen numbers under 50% quoted, but I'm not sure of their validity.) If you're using Cisco routers, egress filters on the outbound interface should be "fast switched" and negligable under most circumstances- for the cases where your aggragate traffic is enough that that isn't the case, simply go back a node or two until it is :). It's not that painful to do, and well-worth doing since this tends to be one of those "you're either part of the problem or part of the solution" things. The SANS site has links to most anything anyone would need to get to the point where they're doing the right thing.
from contributing to the DOS threat. Tools will soon be publicly posted to determine which organizations have and have not protected their users and which ones have systems that still can be used as a threat to the rest of the community.
<Warning - vested interest time> Most probably (though I can't speak for SANS- so maybe that should be "hopefully") this is at least in part a reference to NetLitmus (Yes, the name sucks) which is available to anyone who signs up for the Internet Security Alliance, formed by ICSA.net recently in response to the same set of worries and issues [it's a free sign up for anyone who can reach http://www.icsa.net.] I'd expect that most readers of this list _don't_ really need a tool to determine if they have egress filters in place though (unless they don't own their border router or want to check those home DSL/cable providers) and want to check and see if their provider is doing the right thing (and hopefully encourage them to get on the right path if they aren't.) </vested interest>
More than 100 organizations in the SANS community have tested the guidelines, which were drafted by Mark Krause of UUNET with help from security experts at most of the other major ISPs and at the MITRE organization. The testing has improved them enormously. (A huge thank-you goes to the people who did the testing.)
Out of all of the guidelines, egress filtering is definitely the one the most people can do the quickest that will immediately solve the accountability problem when someone is getting DDoSed *and* allow their upstream to fliter the true source address while the problem is being fixed. If *your* network gets DDoSed, you'll *really* want this capability, but if you're one of the people on the sidelines not doing egress filtering, you won't have the luxury if there are more of you than there are of us who are doing responsible egress filtering. Egress filtering takes minutes to apply to any reasonable border router, *please* *please* *please* take the time to apply it to yours. If you can't make immediate production changes, please put it on the schedule under routine maintenance. [I've only used Cisco routers recently, so I'll just hit that] - as long as you make sure you have the permit for your address range in the rules before you apply them to the interface, there's no need to drop the router to apply the filters, no downtime and just don't forget to write mem. Kudos to Alan and SANS for stepping up to the plate and making noise about this now instead of waiting for the next set of attacks. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) Paul D. Robertson (Apr 04)
- <Possible follow-ups>
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) Mark . Teicher (Apr 13)
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) Andrew J. Luca (Apr 18)
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) Rick Smith (Apr 18)
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) -reply Mark . Teicher (Apr 18)
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) -reply Andrew J. Luca (Apr 20)
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd) -reply Mark . Teicher (Apr 18)
- RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks Rick Smith (Apr 18)