nanog mailing list archives
Re: source filtering
From: prue () ISI EDU
Date: Tue, 12 Jan 1999 15:54:37 -0800
On Tue, Jan 12, 1999 at 01:11:09PM -0500, Steve Gibbard wrote: ==>On Tue, 12 Jan 1999 danderson () lycos com wrote: ==> ==>> I'm not sure what the big issue here is with the smurf attacks. If you set ==>> up some kind of access list that disables incoming icmp traffic, then turn ==> ==>That breaks path MTU discovery (see RFC 1435 for more info on that), among ==>other things. What I have done is write a C program which looks at netflow records as they come in,(close to real time). It checks the source port on the Cisco, the flow record identifies, and compares the source address to a list of acceptable source addresses for validity. I give the program a list of permit and deny like records with IP address and mask along with the ordinal port number. Any that are not legit get printed out. You can then beat on your customer until they clean up their act. If they don't stop right away you can always put in a filter on the interface til they do. We have pretty strong contract verbage which permits us to cut people off if their connection is being used for predatory activity. We haven't had to resort to that yet but being able to say "Fix it or I turn your connection down til you do" is very effective. The nice thing is that it doesn't slow the router down at all, as long as you are doing netflow anyhow. I modified a copy of fdget which is Ciscos netflow demonstration software they have available via ftp. That made the programming task easy for a non programming type like me. Walt Prue
Current thread:
- Re: source filtering, (continued)
- Re: source filtering Jared Mauch (Jan 12)
- Re: source filtering Alex Bligh (Jan 12)
- Re: source filtering Dan Hollis (Jan 12)
- Re: source filtering Craig A. Huegen (Jan 12)
- Re: source filtering Craig A. Huegen (Jan 12)
- Re: source filtering Dan Hollis (Jan 12)
- Re: source filtering Daniel Senie (Jan 12)
- Re: source filtering Jared Mauch (Jan 12)
- Re: source filtering Dalvenjah FoxFire (Jan 12)
- Re: source filtering Phillip Vandry (Jan 12)
- Re: source filtering Alex P. Rudnev (Jan 13)
- Message not available
- Re: source filtering Tony Tauber (Jan 13)
- Message not available
- Re: source filtering Jay R. Ashworth (Jan 16)
- Message not available
- Re: source filtering Tony Tauber (Jan 17)