Firewall Wizards mailing list archives

Re: DDOS Countermeasures RFC

From: Eric Vyncke <evyncke () cisco com>
Date: Wed, 31 Jan 2001 11:40:31 +0100

At 18:19 29/01/01 -0700, Ryan Russell wrote:

On Mon, 29 Jan 2001, Marcus J. Ranum wrote:

We're doomed, aren't we?


No, not really.  There are technical countermeasures to solve the
problem.  People just won't implement them until they have to.  To take a
page from your book... legislate that it's illegal to allow spoofed
packets off your net if you're an ISP, school, etc.. and that's illegal to
peer with other ISPs who don't follow the same guidelines (keeps those
countries in line that won't comply with US laws.  The nerve.)  Make the
punishments really harsh, like any network admin who doesn't comply gets
his/her house seized.


I do not know whether you are ironic or not on this statement ;-)

Or, perhaps just get Cisco to add an interface statement "leaf-subnet"
that is on by default, which prevents spoofing into that interface.


As a Cisco employee, I would be afraid of changing the default behavior
of a router. This would generate thousands of calls to our support center
of people complaining: 'this was working before but after upgrade
it does not work anymore' (for people having a non 'leaf-subnet')... ;-)

As you probably know, this command is already existing under a more
esoteric form:
   ip verify unicast reverse-path

But, you are right, preventing IP spoofing on leaf nodes (or even
on the edge of an IPS POP) is damned easy nowadays. 
Without IP spoofing, most of the attacks would be traceable
and with the right laws, the security of the Internet would be much improved.

Just my 0.01 EUR

-eric

Eric Vyncke                        
Distinguished Engineer             Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-475-312.458
PGP Key available on request       MOBILE HAS CHANGED ON 11th November 2000

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

DDOS Countermeasures RFC Karl Wolfgang (Jan 29)
- Re: DDOS Countermeasures RFC Marcus J. Ranum (Jan 29)
  - Re: DDOS Countermeasures RFC Ryan Russell (Jan 30)
    - Re: DDOS Countermeasures RFC Eric Vyncke (Jan 31)
- <Possible follow-ups>
- Re: DDOS Countermeasures RFC kstephe6 (Jan 29)
- RE: DDOS Countermeasures RFC Kalat, Andrew (ISS Atlanta) (Jan 30)
- RE: DDOS Countermeasures RFC Scott Vowels (Jan 31)
- Re: DDOS Countermeasures RFC jan (Jan 31)