nanog mailing list archives

Re: ISP port blocking practice

From: Jon Kibler <Jon.Kibler () aset com>
Date: Fri, 23 Oct 2009 05:14:17 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Bertrand wrote:

Jon Kibler wrote:

To answer that question, I would start with ingress and egress filtering by IP
address, protocol, etc.:
   1) Never allow traffic to egress any subnet unless its source IP address is
within that subnet range.


Sorry to nit, but shouldn't your uRPF setup take care of this (and many
other of your list items), long before ACL?

It's absolutely great if you have your list implemented, but imho, all
ISP's, no matter how small should investigate and implement urpf. It's
especially fun to play with RTBH.

To be honest, the smaller you are, the easier it is to implement (ie.
urpf strict everywhere!  :)

Steve


Agree for the most part. However:

1) The overwhelming majority of routers I have audited do not have uRPF
implemented and most admins do not comprehend it, but they do comprehend
(usually) ACLs.

2) L3 switching does not always support it, leaving potential for abuse if the
network has any donut holes.

3) uRPF works best on egress but does little on outside ingress (e.g., bogons).

4) Defense in depth dictates using more than one way to detect an attack, so use
both ACLs and uRPF.

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler () aset com
e: Jon.R.Kibler () gmail com
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrhc+gACgkQUVxQRc85QlNAgACfZgrSuZ7dC1A38oIXB3lInUOc
FnIAniWiQcVpJzp/ooh4LOHwEzPXUWo3
=dKbZ
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Current thread:

Re: ingress filtering and multiple Internet conenctions, (continued)
- - - Re: ingress filtering and multiple Internet conenctions Joe Maimon (Oct 25)
    - Re: ingress filtering and multiple Internet conenctions Joe Greco (Oct 25)
    - Re: ingress filtering and multiple Internet conenctions Joe Maimon (Oct 25)
    - Re: ingress filtering and multiple Internet conenctions Owen DeLong (Oct 25)
    - Re: ingress filtering and multiple Internet conenctions Owen DeLong (Oct 25)
    - Re: ISP port blocking practice Joe Provo (Oct 26)
    - Re: ISP port blocking practice Joe Provo (Oct 25)
- Re: ISP port blocking practice Justin Shore (Oct 22)
- Re: ISP port blocking practice Jon Kibler (Oct 22)
  - Re: ISP port blocking practice Steve Bertrand (Oct 22)
    - Re: ISP port blocking practice Jon Kibler (Oct 23)
    - Re: ISP port blocking practice Steve Bertrand (Oct 23)
  - Re: ISP port blocking practice Valdis . Kletnieks (Oct 22)
- Re: ISP port blocking practice a . harrowell (Oct 24)
  - RE: ISP port blocking practice Keith Medcalf (Oct 24)