Firewall Wizards mailing list archives
RE: Recent Attacks
From: "Troy Henley" <tgh () cprslaw com>
Date: Thu, 17 Feb 2000 10:14:19 -0500
Sorry, I am a newby, could you describe what "smurf" is ? I am guessing it is a utility but I am not certain. Thanks -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Bennett Todd Sent: Wednesday, February 16, 2000 12:56 PM To: Marcus J. Ranum Cc: firewall-wizards () nfr net Subject: Re: Recent Attacks I may be a cad and a barbarian, but I'm less concerned with identifying who's doing it, and more concerned with making the attacks harder to mount, and easier to stop. I very strongly believe that one step will do a great deal to reduce the severity of this problem (e.g., it would essentially stop the current tools, and make any replacements far, far less effective), and that's to make ingress filtering universal. While route-based packet filtering, to toss forged source addrs, is very hard if not impossible once the packet enters the core routers, when it's passing through the border router, the router that has a simple static route for the LAN the packet originated on, the filtering is trivial to implement. Some routers (e.g. Linux) can be switched to do it automatically, with no configuration changes necessary as the routing environment changes. I expect that will be a required feature in routers very quickly, and not long after that we'll start seeing blacklists, to help you block nets that don't do ingress filtering right at your routers. Allowing forged source addrs in and out of your nets is bad hygiene. And if DDoS attacks couldn't used forged source addrs, they couldn't use smurf to amplify their effects, and they couldn't be reused at all; the moment a victim starts capturing packets, they'd have the source addrs of all the machines in the attackers DDoS net --- and building those nets remains the relatively hard prep work for mounting one of these attacks. If we had universal ingress filtering, the moment someone started launching one of these the victim could start contacting the compromised sites, and if they refused to address their problem they could request that the streams by blocked by the compromised sites' providers. Right now, only some nets nets have ingress filtering --- those run by competant and knowlegeable networks admins who care about security. But I think it will not be long before running without ingress filtering is as unacceptable --- and gets you blacklisted as hard and fast --- as running an open relay email server. -Bennett
Current thread:
- Re: Recent Attacks, (continued)
- Re: Recent Attacks Frank L. Heidt (Feb 17)
- Re: Recent Attacks Iván Arce (Feb 17)
- Re: Recent Attacks Paul D. Robertson (Feb 19)
- Re: Recent Attacks Matthew_S_Cramer (Feb 15)
- Re: Recent Attacks Philip J. Koenig (Feb 17)
- Re: Recent Attacks Don Kendrick (Feb 16)
- Re: Recent Attacks Iván Arce (Feb 17)
- Re: Recent Attacks sedwards (Feb 19)
- RE: Recent Attacks Moore, James (Feb 16)
- RE: Recent Attacks John Ross (Feb 17)
- RE: Recent Attacks Troy Henley (Feb 17)
- Re: Recent Attacks Bennett Todd (Feb 17)
- Re: Recent Attacks apotter (Feb 17)
- Re: Recent Attacks blyonpop (Feb 17)
- Re: Recent Attacks Chris Cappuccio (Feb 19)
- RE: Recent Attacks Staggs, Michael (Feb 17)
- Re: Recent Attacks Barney Wolff (Feb 17)
- Re: Recent Attacks Don Kendrick (Feb 19)
- RE: Recent Attacks Staggs, Michael (Feb 19)
- Re: Recent Attacks Steven M. Bellovin (Feb 19)
- Re: Recent Attacks Transistor Sister (Feb 19)
(Thread continues...)