Firewall Wizards mailing list archives
Re: DDOS Countermeasures RFC
From: Eric Vyncke <evyncke () cisco com>
Date: Wed, 31 Jan 2001 11:40:31 +0100
At 18:19 29/01/01 -0700, Ryan Russell wrote:
On Mon, 29 Jan 2001, Marcus J. Ranum wrote:We're doomed, aren't we?No, not really. There are technical countermeasures to solve the problem. People just won't implement them until they have to. To take a page from your book... legislate that it's illegal to allow spoofed packets off your net if you're an ISP, school, etc.. and that's illegal to peer with other ISPs who don't follow the same guidelines (keeps those countries in line that won't comply with US laws. The nerve.) Make the punishments really harsh, like any network admin who doesn't comply gets his/her house seized.
I do not know whether you are ironic or not on this statement ;-)
Or, perhaps just get Cisco to add an interface statement "leaf-subnet" that is on by default, which prevents spoofing into that interface.
As a Cisco employee, I would be afraid of changing the default behavior of a router. This would generate thousands of calls to our support center of people complaining: 'this was working before but after upgrade it does not work anymore' (for people having a non 'leaf-subnet')... ;-) As you probably know, this command is already existing under a more esoteric form: ip verify unicast reverse-path But, you are right, preventing IP spoofing on leaf nodes (or even on the edge of an IPS POP) is damned easy nowadays. Without IP spoofing, most of the attacks would be traceable and with the right laws, the security of the Internet would be much improved. Just my 0.01 EUR -eric Eric Vyncke Distinguished Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-475-312.458 PGP Key available on request MOBILE HAS CHANGED ON 11th November 2000 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- DDOS Countermeasures RFC Karl Wolfgang (Jan 29)
- Re: DDOS Countermeasures RFC Marcus J. Ranum (Jan 29)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 30)
- Re: DDOS Countermeasures RFC Eric Vyncke (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 30)
- <Possible follow-ups>
- Re: DDOS Countermeasures RFC kstephe6 (Jan 29)
- RE: DDOS Countermeasures RFC Kalat, Andrew (ISS Atlanta) (Jan 30)
- RE: DDOS Countermeasures RFC Scott Vowels (Jan 31)
- Re: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC Marcus J. Ranum (Jan 29)