Re: SANS Flash: Urgent Request For Help In Stopping DOS Attacks (fwd)

["Paul D. Robertson" <proberts () clark net>]

On Wed, 29 Mar 2000, Andy Bach wrote:

> Hey,
>
> SANS is requesting Internet-wide assistance w/ stopping DOS attack by 
> reconfiguring routers.  Anybody looked at the instructions/info and seen 
> if it would work?
> http://www.sans.org/dosstep/index.htm 

Egress filtering is widely agreed to be the best short-term fix for the
attacks.  At the least, it will make upstream filtering and launch point
notification effective and easy.  At the best, it will take spoofing out
of the picutre.  For extremely large sites with multiple colocation
facilities, it doesn't take a large percentage of egress filters to made
DDoS a non-event (I've seen numbers under 50% quoted, but I'm not sure of
their validity.)

If you're using Cisco routers, egress filters on the outbound interface
should be "fast switched" and negligable under most circumstances- for the
cases where your aggragate traffic is enough that that isn't the case,
simply go back a node or two until it is :). It's not that painful to do,
and well-worth doing since this tends to be one of those "you're either
part of the problem or part of the solution" things.

The SANS site has links to most anything anyone would need to get to the
point where they're doing the right thing.

> from contributing to the DOS threat.  Tools will soon be
> publicly posted to determine which organizations have and have
> not protected their users and which ones have systems that 
> still can be used as a threat to the rest of the community.

<Warning - vested interest time>

Most probably (though I can't speak for SANS- so maybe that should be
"hopefully") this is at least in part a reference to NetLitmus (Yes, the
name sucks) which is available to anyone who signs up for the Internet
Security Alliance, formed by ICSA.net recently in response to the same set
of worries and issues [it's a free sign up for anyone who can reach
http://www.icsa.net.]  I'd expect that most readers of this list _don't_
really need a tool to determine if they have egress filters in place
though (unless they don't own their border router or want to check those
home DSL/cable providers) and want to check and see if their provider is
doing the right thing (and hopefully encourage them to get on the right
path if they aren't.)

</vested interest>

> More than 100 organizations in the SANS community have tested
> the guidelines, which were drafted by Mark Krause of UUNET with
> help from security experts at most of the other major ISPs and 
> at the MITRE organization. The testing has improved them 
> enormously. (A huge thank-you goes to the people who did the 
> testing.)

Out of all of the guidelines, egress filtering is definitely the one the
most people can do the quickest that will immediately solve the
accountability problem when someone is getting DDoSed *and* allow their
upstream to fliter the true source address while the problem is being
fixed.  If *your* network gets DDoSed, you'll *really* want this
capability, but if you're one of the people on the sidelines not doing
egress filtering, you won't have the luxury if there are more of you than
there are of us who are doing responsible egress filtering.

Egress filtering takes minutes to apply to any reasonable border router,
*please* *please* *please* take the time to apply it to yours.  If you
can't make immediate production changes, please put it on the schedule
under routine maintenance.  [I've only used Cisco routers recently, so
I'll just hit that] - as long as you make sure you have the permit for
your address range in the rules before you apply them to the interface,
there's no need to drop the router to apply the filters, no downtime and
just don't forget to write mem.  

Kudos to Alan and SANS for stepping up to the plate and making noise about
this now instead of waiting for the next set of attacks.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280