Vulnerability Development mailing list archives
Re: Automatic antispoofing rules on access servers.
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Wed, 20 Sep 2000 14:48:17 +0800
The difference is, with this feature, you should not have to do as much reconfiguration if your netblocks change. That's what I'm talking about - lowering the administration costs for installing such rules at the access points. Check out the url. You'll see that you don't have to write the rules by hand. Use the same statements for every router. By putting the rules at the access servers, ISP can stop customers from spoofing others within their networks. Btw I'm not trying to promote Cisco here. In fact I was actually about to post asking if any router manufacturer had done such a thing - uniform config parameter(s) to do antispoofing on tons of different routers and interfaces. And then I found something like it on Cisco's site, and now I'm wondering if ISPs actually know about it and are using it. I was thinking "why hasn't anybody done this", and then "Oh they have!" :). Cheerio, Link. At 10:41 AM 19-09-2000 -0700, Ryan Permeh wrote:
although this is a neat idea, placing antispoofing rules on your border acheives thew same level of protection at a much lower administrative cost. i used to work at an isp, and puting together possibly thousands antispoofing rules by hand in an understaffed, undertechnical environment is a hard thing to do. Especcially in the isp aquisition climate where your netblocks may not be the same for a while. If we got people to shut off broadcasts(at least icmp, if not all) and spoofing at the borders it would help a whole lot. PS: this doesn't just apply to isp's. there are schools and buisnesses that are just as guilty (and sometimes have just as big networks). Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () POP JARING MY> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Monday, September 18, 2000 7:50 PM Subject: Automatic antispoofing rules on access servers.I believe antispoofing filters won't really use up much CPU. So probably one of the main reasons ISPs don't use them at their access servers is the administrative cost in maintaining the rules. However I recently noticed that Cisco has a feature which seems to make this simpler to do.http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t2/rpf_plus.htm Do other major router/access server manufacturers have similar features? If such features were more widely used, smurfing and spoofing stuff would be a lot more difficult than it is now. Are there any problems which would discourage use by ISPs? Cheerio, Link.
Current thread:
- Cisco CDP attacks FX, Phenoelit (Sep 18)
- Automatic antispoofing rules on access servers. Lincoln Yeoh (Sep 19)
- Re: Automatic antispoofing rules on access servers. Ryan Permeh (Sep 19)
- Re: Automatic antispoofing rules on access servers. Lincoln Yeoh (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ryan Permeh (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ryan Permeh (Sep 19)
- Automatic antispoofing rules on access servers. Lincoln Yeoh (Sep 19)