Re: SNMP Scans 02/17/02

[Valdis.Kletnieks () vt edu]

On Tue, 19 Feb 2002 09:50:39 EST, Security Coordinator <security () aptusventures com>  said:

> would be hard for them to know, but then why is it we see so many spoofed 
> packets around? There should be ZERO of them on the net. Every router knows 
> what addresses to expect to be inside vs outside. 
>
> I won't belabour the point, but YES, you should not just report it to the 
> ISP, you should let everyone know where attacks come from. What we REALLY 
> need is a database and system good enough to understand the topology of the 
> net and processes attack reports in a sophisticated enough way that we can 
> say things like "if this router was filtering like thus, this would be 
> impossible" and if an ISP won't configure their equipment properly, then they 
> can be held liable. 

You know that, I know that - we put the lack of martian-packet
filtering in the SANS ddos document, it's mentioned in the SANS Top10,
and in the Top20.  I put it into the white paper that got used as the
basis for the Center for Internet Security benchmarks.  It's hardly news.

And RFC1918 says those address spaces are *not* for public use - but
if you go over to the NANOG list and suggest that ISPs filter
*RFC1918* packets that come out of customer sites (or quit numbering
their router point-to-point links out of 1918 space, which hoses Path
MTU discovery when our border routers correctly reject their
1918-sourced ICMP packets), you will surely start a flame-fest.

I'm afraid you're right - the only way those ISPs will change their attitude
is if one gets sued for contributory negligence for not filtering.

-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: