nanog mailing list archives
RE: ACLs / Filter Lists - Best Practices
From: Rob Thomas <robt () cymru com>
Date: Fri, 30 Nov 2001 10:46:22 -0600 (CST)
Hi, all. Just a couple of comments in response to: ] - <rant>RFC 1918 filtering is no silver bullet. Yes, it should be done, but ] all a malicious person needs in order to be able to launch an effective DDoS ] attack is to source from unassigned address space or address space that is ] known to be unused.</rant> I filter all RFC 1918 and unused/bogon space at my borders (in both prefix-lists and ACLs). This cuts down on a large percentage of the garbage. Of course I filter outbound as well, to protect the Internet from my data centers. :) You can see the filtering I use in the Secure IOS Template and Secure BGP Templates here: http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html With one routinely attacked site, 68% of the incoming traffic uses bogon source addresses (e.g. 127.1.1.1, 169.254.3.3, 0.1.2.3, etc.) So this filtering really does help. However, having said that, please keep in mind that most of the bots I disassemble and botnets I monitor don't bother to spoof at all. Many don't include the capability to generate spoofed or malformed packets. Why? Because the number of bots used in the attack is already overwhelming. It is almost impossible to block them all with conventional filtering, so there is no need to spoof. Further, tracking them is quite difficult as well. Try explaining to a home user that his or her machine has been used in a DDoS attack. The response I received by one home PC owner was: "Cool!" :P FYI, the miscreants continue to hack vulnerable Cisco routers. I watched as one crew gathered 800 ciscos (underground parlance) a few days ago. Please ensure that you have access control and good passwords on your routers. Advise your customers to do the same. Hmm, when will I ever be able to keep my posts to "just a couple of comments?" :) Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Current thread:
- Re: ACLs / Filter Lists - Best Practices, (continued)
- Re: ACLs / Filter Lists - Best Practices Scott Francis (Nov 27)
- Re: ACLs / Filter Lists - Best Practices E.B. Dreger (Nov 27)
- Re: ACLs / Filter Lists - Best Practices Christopher L. Morrow (Nov 27)
- RE: ACLs / Filter Lists - Best Practices Barry Raveendran Greene (Nov 28)
- Re: ACLs / Filter Lists - Best Practices Geoff Zinderdine (Nov 28)
- Re: ACLs / Filter Lists - Best Practices Nicolas FISCHBACH (Nov 28)
- RE: ACLs / Filter Lists - Best Practices Tim Irwin (Nov 29)
- Re: ACLs / Filter Lists - Best Practices Andreas Plesner Jacobsen (Nov 29)
- Re: ACLs / Filter Lists - Best Practices Adrian Chadd (Nov 29)
- Re: ACLs / Filter Lists - Best Practices Rob Thomas (Nov 30)
- Re: ACLs / Filter Lists - Best Practices Andreas Plesner Jacobsen (Nov 29)
- RE: ACLs / Filter Lists - Best Practices Rob Thomas (Nov 30)
- RE: ACLs / Filter Lists - Best Practices Irwin Lazar (Nov 28)