Firewall Wizards mailing list archives

RE: Recent Attacks

From: "Troy Henley" <tgh () cprslaw com>
Date: Thu, 17 Feb 2000 10:14:19 -0500

Sorry, I am a newby, could you describe what "smurf" is ?  I am guessing it
is a utility but I am not certain.  Thanks

-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Bennett Todd
Sent: Wednesday, February 16, 2000 12:56 PM
To: Marcus J. Ranum
Cc: firewall-wizards () nfr net
Subject: Re: Recent Attacks

I may be a cad and a barbarian, but I'm less concerned with
identifying who's doing it, and more concerned with making the
attacks harder to mount, and easier to stop.

I very strongly believe that one step will do a great deal to reduce
the severity of this problem (e.g., it would essentially stop the
current tools, and make any replacements far, far less effective),
and that's to make ingress filtering universal.

While route-based packet filtering, to toss forged source addrs, is
very hard if not impossible once the packet enters the core routers,
when it's passing through the border router, the router that has a
simple static route for the LAN the packet originated on, the
filtering is trivial to implement. Some routers (e.g. Linux) can be
switched to do it automatically, with no configuration changes
necessary as the routing environment changes. I expect that will be
a required feature in routers very quickly, and not long after that
we'll start seeing blacklists, to help you block nets that don't do
ingress filtering right at your routers.

Allowing forged source addrs in and out of your nets is bad hygiene.

And if DDoS attacks couldn't used forged source addrs, they couldn't
use smurf to amplify their effects, and they couldn't be reused at
all; the moment a victim starts capturing packets, they'd have the
source addrs of all the machines in the attackers DDoS net --- and
building those nets remains the relatively hard prep work for
mounting one of these attacks. If we had universal ingress
filtering, the moment someone started launching one of these the
victim could start contacting the compromised sites, and if they
refused to address their problem they could request that the streams
by blocked by the compromised sites' providers.

Right now, only some nets nets have ingress filtering --- those
run by competant and knowlegeable networks admins who care about
security. But I think it will not be long before running without
ingress filtering is as unacceptable --- and gets you blacklisted as
hard and fast --- as running an open relay email server.

-Bennett

Current thread:

Re: Recent Attacks, (continued)
- - Re: Recent Attacks Frank L. Heidt (Feb 17)
  - Re: Recent Attacks Iván Arce (Feb 17)
    - Re: Recent Attacks Paul D. Robertson (Feb 19)
- Re: Recent Attacks Matthew_S_Cramer (Feb 15)
  - Re: Recent Attacks Philip J. Koenig (Feb 17)
- Re: Recent Attacks Don Kendrick (Feb 16)
  - Re: Recent Attacks Iván Arce (Feb 17)
  - Re: Recent Attacks sedwards (Feb 19)
- RE: Recent Attacks Moore, James (Feb 16)
- RE: Recent Attacks John Ross (Feb 17)
- RE: Recent Attacks Troy Henley (Feb 17)
  - Re: Recent Attacks Bennett Todd (Feb 17)
- Re: Recent Attacks apotter (Feb 17)
- Re: Recent Attacks blyonpop (Feb 17)
  - Re: Recent Attacks Chris Cappuccio (Feb 19)
- RE: Recent Attacks Staggs, Michael (Feb 17)
- Re: Recent Attacks Barney Wolff (Feb 17)
- Re: Recent Attacks Don Kendrick (Feb 19)
- RE: Recent Attacks Staggs, Michael (Feb 19)
- Re: Recent Attacks Steven M. Bellovin (Feb 19)
- Re: Recent Attacks Transistor Sister (Feb 19)

(Thread continues...)