Re: Is there a line of defense against Distributed Reflective attacks?

["Christopher L. Morrow" <chris () UU NET>]

On Thu, 16 Jan 2003, hc wrote:

> > Normally that's not very productive as they are mostly owned boxes that
> > will be rebuilt and reowned in days :(
> I agree, keeping track of the attacks would not be very useful nor
> helpful. I bet if more ISP's would implement egress filtering on their
> border routers, it'd help quite a bit. Of course, egress filters don't
> solve the issue. But considering most script kiddies' intelligence level

Egress filters are a distraction... today you don't have to spoof. These
are the red herring of 'security'.

THOUGH, all that said, having all networks, CUSTOMER NETWORKS, filtered as
close to end systems as possible would be a nice thing :) As Rob Thomas
points out 80% (or some huge number) of attacks are spoofed source
attacks. Every leaf network should be able to do the minimum urpf strict
on all ether or gig link... that way you don't even have to take the hit
of a acl to process the inbound traffic :)

This is most definitely best done as close to the end machines as possible
though, the traffic loads there are just much more managable... and it
reduces the possible spoofage to the lowest limit possible.

> is limited, it will help at least a bit. :-) The problem with egress
> filtering is that it's mostly applicable at the end tier2+ level, not at
> the backbones, which means a lot of ISP's who are oblivious on what it
> is (or some cases where egress filter breaks their network setup).

Hmm, but the smaller the network the easier to filter it is... right?