Re: Automatic filtering - CISCO, you should think about this...

[Phil Howard <phil () charon milepost com>]

Karl Denninger writes...

> How about an interface keyword such as "auto-inbound-filter", which does
> this:
>
>       At STARTUP and when the LOCAL route table changes (ie: "ip route
>       xxx..." statements) the system looks at the interfaces, and the 
>       local static routes, and builds an accept list for that interface.
>       The list is stored in a "reserved" set of system access lists.
>
>       Add a parmaeter which can be turned on (ie: log) which would add
>       "log" to the end of the filter lists, so that anyone TRYING to smurf
>       will get logged
>
> This would totally automate the process of inbound filtering to prevent or
> severely limit smurf attacks.
>
> Since filters which are based only on the source address are relatively
> cheap for the router to process, this would likely not seriously burden 
> anyone in their direct connections.
>
> I'd love to see something like this, and it would reduce the complaint that
> its "too hard to manage" such things.

How about having "no-auto-inbound-filter" instead, making the default in all
new versions of IOS be to run this essential level of protection, providing
a means to turn it off only for those who know they need to turn it off.

-- 
Phil Howard | a6b5c8d2 () spam4mer org suck6it2 () no90ads4 org stop6ads () anyplace edu
  phil      | w0x8y2z4 () nowhere5 edu stop5ads () anyplace org a3b4c7d6 () dumbads3 org
    at      | ads6suck () spam0mer net end3ads1 () no95ads2 net stop1ads () noplace2 org
  milepost  | end5it79 () no2where net die3spam () s0p0a4m7 net eat05me6 () dumbads3 org
    dot     | end7ads9 () no52ads9 edu ads5suck () no9place net stop7074 () lame9ads edu
  com       | no9spam1 () lame5ads org no94ads1 () no96ads0 net stop5ads () nowhere7 net