nanog mailing list archives
Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement)
From: Adrian Chadd <adrian () ourworld net>
Date: Sun, 28 Dec 1997 16:30:35 +1100 (EST)
Since source address spoofing seems to be the thing, why not bite the bullet and put filters on from addresses on downstream clients? It *would* start to blow out the size/complexity of the router configurations, but if your network is of a decent size you should already have some router config management tools written :) But this way, people can only spoof IPs from their own block, and not random addresses. It would kill smurf attacks, make tracing a tad(?) easier, etc, etc. And as I've mentioned before, not all types of floods are ICMP attacks. If you filter ICMP, then I'll start flooding with spoofed source addresses TCP packets with random sequence numbers and from IPs. What, you're going to ask routers to track all the TCP connections going through them now for validation? Erm, how many CPUs more are we going to need..? :) I haven't looked at the MCI tools but my opinion is that if people start putting filters in, you would find the instances of flooding decline. All that needs to be done now is to discuss the best ways to do it (eg setting up a filter on a cisco which uses AS path regexps, so you can filter per interface on what people are announcing to you via BGP. That way, your downstreams can only send traffic with FROM IPs that they announce, and anyone who wants to spoof has to be speaking BGP. ) Adrian
Current thread:
- smurf, the MCI-developed tracing tools (was Re: Bogus announcement), (continued)
- smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Network Operations Center (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Phil Howard (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Darin Wayrynen (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Pete Ashdown (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Darin Wayrynen (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Dorian R. Kim (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Karl Denninger (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Phil Howard (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Karl Denninger (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Ken Leland (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Adrian Chadd (Dec 27)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Ken Leland (Dec 27)
- Re: smurf, the MCI-developed tracing tools Dax Kelson (Dec 28)
- Re: smurf, the MCI-developed tracing tools Karl Denninger (Dec 29)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Karl Denninger (Dec 28)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Adrian Chadd (Dec 28)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Bradley Reynolds (Dec 28)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Adrian Chadd (Dec 28)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Karl Denninger (Dec 28)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Paul Ferguson (Dec 28)
- Re: smurf, the MCI-developed tracing tools (was Re: Bogus announcement) Ken Leland (Dec 28)