Firewall Wizards mailing list archives
RE: RE: Why blocking bogons buys you nothing (Mikael Olsson)
From: "Stephen Gill" <gillsr () yahoo com>
Date: Mon, 10 Nov 2003 12:28:23 -0600
Hi Michael, ] Actually, don't you mean egress spoofing protection here? ] That's a totally separate issue. Not necessarily. Egress filtering in one direction may equal Ingress filtering in another. Transit filtering fits into both of these categories, which is where Unicast RPF (loose and strict) comes in, though not part of your target audience. In all cases, I'm advocating filtering as far as possible upstream, even including a local firewall's upstream router. So a rough order of preference would be: - egress anti spoof filtering - transit strict uRPF - transit loose uRPF - upstream ingress bogon filtering - firewall ingress bogon filtering The further you go downstream, the more likely your pipes will be filled with cruft :|. It's not that firewall ingress bogon filtering buys you nothing, it's that all the others buy you so much more, that efforts on filtering should be concentrated there first because that's where you'll get the most bang for your buck. ] > So why are we drawing global conclusions from a _single_ site? ] Because from what I've seen, that's pretty much what everyone else ] is doing in when it comes to bogons :) Hopefully they aren't, though I don't have any hard data to prove of disprove this. In either case, continuing a bad trend in fact finding doesn't make this data any more believable. ] This MAN has about five or six thousand public IPs, spread out over ] five or six disjoint spans. It's got plenty of people that are likely ] to attract DDoS attacks (IRC weenies), and indeed, they do happen. Unfortunately it's not the number of IPs that one manages (be it private or public), but juiciness of the target. Again, as you stated, there were relatively few DOS attacks in your dataset, and only one of them was considered large. In my opinion, that would classify the dataset used in this study too narrow to have a broad enough perspective on what really happens on the Internet as a whole. ] It's not the uunet backbone, but, in my opinion, it's representative ] enough for my target audience. I'd say from the average firewall's perspective, bogon filtering would probably be best suited for a router or network connection further upstream - see above. ] 40-50% is not "significant" for a DDoS in my opinion. Especially ] not if you're doing it on the wrong end of your Internet connection. Not sure what this was referring to... ] Yes, but the technical reasons are not the same. ] - 0.* is good to drop because of dumb software that assumes that if ] - 127.* is good because lots of dumb software think that packets ] - 224.* and up is good because you don't want to end up sending responses RFC 3330 is a great reference: ftp://ftp.rfc-editor.org/in-notes/rfc3330.txt ] > [... snip lots of argumentation related to me not putting ] > "inbound" in the title. It's there now.] Great! Cheers, -- steve _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Why blocking bogons buys you nothing (Mikael Olsson) Stephen Gill (Nov 09)
- Re: RE: Why blocking bogons buys you nothing (Mikael Olsson) Mikael Olsson (Nov 09)
- Re: RE: Why blocking bogons buys you nothing (Mikael Olsson) Barney Wolff (Nov 10)
- Re: RE: Why blocking bogons buys you nothing (Mikael Olsson) Mikael Olsson (Nov 10)
- RE: RE: Why blocking bogons buys you nothing (Mikael Olsson) Stephen Gill (Nov 11)
- Re: RE: Why blocking bogons buys you nothing (Mikael Olsson) Barney Wolff (Nov 10)
- Re: RE: Why blocking bogons buys you nothing (Mikael Olsson) Mikael Olsson (Nov 09)