Security Incidents mailing list archives
Re: SNMP Scans 02/17/02
From: Valdis.Kletnieks () vt edu
Date: Thu, 21 Feb 2002 14:02:36 -0500
On Tue, 19 Feb 2002 09:50:39 EST, Security Coordinator <security () aptusventures com> said:
would be hard for them to know, but then why is it we see so many spoofed packets around? There should be ZERO of them on the net. Every router knows what addresses to expect to be inside vs outside. I won't belabour the point, but YES, you should not just report it to the ISP, you should let everyone know where attacks come from. What we REALLY need is a database and system good enough to understand the topology of the net and processes attack reports in a sophisticated enough way that we can say things like "if this router was filtering like thus, this would be impossible" and if an ISP won't configure their equipment properly, then they can be held liable.
You know that, I know that - we put the lack of martian-packet filtering in the SANS ddos document, it's mentioned in the SANS Top10, and in the Top20. I put it into the white paper that got used as the basis for the Center for Internet Security benchmarks. It's hardly news. And RFC1918 says those address spaces are *not* for public use - but if you go over to the NANOG list and suggest that ISPs filter *RFC1918* packets that come out of customer sites (or quit numbering their router point-to-point links out of 1918 space, which hoses Path MTU discovery when our border routers correctly reject their 1918-sourced ICMP packets), you will surely start a flame-fest. I'm afraid you're right - the only way those ISPs will change their attitude is if one gets sued for contributory negligence for not filtering. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- SNMP Scans 02/17/02 Peter Johnson (Feb 18)
- Re: SNMP Scans 02/17/02 Security Coordinator (Feb 20)
- Re: SNMP Scans 02/17/02 Valdis . Kletnieks (Feb 22)
- RE: SNMP Scans 02/17/02 Tyrannis Von Nettesheim (Feb 22)
- Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 22)
- Re: SNMP Scans 02/17/02 Dan Terhesiu (Feb 20)
- Re: SNMP Scans 02/17/02 Peter Johnson (Feb 20)
- <Possible follow-ups>
- RE: SNMP Scans 02/17/02 Dmitri Smirnov (Feb 23)
- Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 24)
- Re: SNMP Scans 02/17/02 Security Coordinator (Feb 20)