nanog mailing list archives
Re: Ping flooding (fwd)
From: avg () ncube com (Vadim Antonov)
Date: Tue, 9 Jul 1996 15:10:38 +0800
That's once again a matter of defaults -- routers should _by default_ discard all packets from interfaces which they won't use for forwarding those packets back. This rule works is 99.9% of cases preventing SA spoofing and some cases of transient loops, and can be disabled where asymmetrical routing is desired. I also have thought of some mechanism to allow destination host to quench sender forcefully, by telling the intermediate router(s) to disallow forwarding to some destination for some period of time (a minute would do nice to render flooding attacks ineffective), but there's a problem with authentication (i.e. there's a need for the router to "call back" to confirm that destination indeed wants to shut up somebody). Finally, routers could implement a kind of "reverse trace" ICMP with the following functionality: on receiption of RT ICMP message take the SA from the ICMP and send back reply message. After that install watchpoint to look for packets going to that address (the "watchpoint" may be implemented as a host route to some special interface). If watchpoint is triggered (i.e. we've got a packet going to the SA) send copy of the RT ICMP to the interface from which the offending packet came from and remove the watchpoint. If watchpoing wasn't triggrded for some time, remove it silently. That simple mechanism would allow to track down sources of forged (or mis-configured) SAs pretty quickly. However it is ineffectual if source-based routing with a large number of variant routes is used. But then, unrestricted SBR is very dangerous anyway (it allows to create artificial congestions by emitting relatively small streams of bogons with routes wound in tight loops). --vadim - - - - - - - - - - - - - - - - -
Current thread:
- Re: Ping flooding (fwd), (continued)
- Re: Ping flooding (fwd) Perry E. Metzger (Jul 08)
- Re: Ping flooding (fwd) Jordy (Jul 09)
- Message not available
- Re: Ping flooding (fwd) Dick St.Peters (Jul 09)
- Re: Ping flooding (fwd) Todd Graham Lewis (Jul 09)
- Re: Ping flooding (fwd) Dick St.Peters (Jul 09)
- Re: Ping flooding (fwd) Justin W. Newton (Jul 09)
- Re: Ping flooding (fwd) George Herbert (Jul 09)
- Re: Ping flooding (fwd) Forrest W. Christian (Jul 09)
- Re: Ping flooding (fwd) Justin W. Newton (Jul 09)
- Re: Ping flooding (fwd) Doug Stanfield (Jul 09)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Vadim Antonov (Jul 09)
- Re: Ping flooding Jerry Anderson (Jul 09)
- Re: Ping flooding (fwd) Sean Doran (Jul 09)
- Re: Ping flooding (fwd) Dorian Kim (Jul 10)
- Re: Ping flooding (fwd) Sean Doran (Jul 09)
- Re: Ping flooding (fwd) Sean Doran (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 10)