Vulnerability Development mailing list archives
Re: Automatic antispoofing rules on access servers.
From: Jeffrey Karpenko <Jeffrey.Karpenko () RHIGROUP COM>
Date: Wed, 20 Sep 2000 08:47:01 -0400
Tekkers:
I recently looked into a situation at my workplace where the
internal firewall dropped a group of NBT packets with a source and
destination IP Address not within our network range. In fact the Source was
sending to a Destination within its own network, so how did those packets
even make it out to the Internet? <shrug>. Wondering how we had the packets
delivered to our Internet router, baffled me. I can only assume by
spoofing! (They didn't look like a broadcast to me.) I called UUNET, our
service provider, and inquired about the strange packets. They weren't much
help. I then called Cisco as we have two routers before the internal
firewall, one being a PIX. At this time, Cisco does not know how these
packets got through the PIX and they went through each line of my config. I
finally told Cisco I would set up a Sniff Trigger to capture the packets if
it happened again. The case remains open. I then looked into Ingress
Filtering. Ingress Filtering checks to see if the path used to get to you
is the shortest path. (If I am missing something please inform.) I called
UUNET and requested Ingress Filtering on our "T Lines". I was directed to
security where they told me they do not support Ingress Filtering because
eventually it would effect the performance of other customers. By this they
mean that before long everyone would want Ingress Filtering turned on and
the switch would suffer because of the extra load. They suggest turning
Ingress Filtering on locally to their customers. I then turned it on in the
PIX config . . . ( ip verify reverse-path interface outside ). This filter
can be turned on for each interface. Turning it on for the "inside"
interface would be called Egress Filtering and would prevent spoofs headed
out from within your own network.
Turning on Ingress Filtering locally however, does not prevent
packets from the Internet from hitting my PIX. This would mean that a DoS
could be possible by flooding the Bandwidth of the T from UUNET. To prevent
such a DoS one would need to be familiar with the normal usage percentage of
the lines bandwidth. Having a Network Monitoring software setup to alarm
when the percentage is exceeded. UUNET will, upon proof of such an attack,
temporarily turn on Ingress Filtering to stop the activity. I guess if
someone wanted to take the time, they could gradually increase the bandwidth
usage of a line, being careful not to flood it, causing the target company
to have to pay more money to their Service Provider for bandwidth usage.
Hmmm.
Jeffrey
-----Original Message-----
From: Ryan Permeh [mailto:Ryan () EEYE COM]
Sent: Tuesday, September 19, 2000 1:42 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Automatic antispoofing rules on access servers.
although this is a neat idea, placing antispoofing rules on your border
acheives thew same level of protection at a much lower administrative cost.
i used to work at an isp, and puting together possibly thousands
antispoofing rules by hand in an understaffed, undertechnical environment is
a hard thing to do. Especcially in the isp aquisition climate where your
netblocks may not be the same for a while. If we got people to shut off
broadcasts(at least icmp, if not all) and spoofing at the borders it would
help a whole lot.
PS: this doesn't just apply to isp's. there are schools and buisnesses that
are just as guilty (and sometimes have just as big networks).
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com
----- Original Message -----
From: "Lincoln Yeoh" <lyeoh () POP JARING MY>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, September 18, 2000 7:50 PM
Subject: Automatic antispoofing rules on access servers.
I believe antispoofing filters won't really use up much CPU. So probably one of the main reasons ISPs don't use them at their access servers is the administrative cost in maintaining the rules. However I recently noticed that Cisco has a feature which seems to make this simpler to do.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121
t/121t2/rpf_plus.htm Do other major router/access server manufacturers have similar features? If such features were more widely used, smurfing and spoofing stuff would be a lot more difficult than it is now. Are there any problems which would discourage use by ISPs? Cheerio, Link.
Current thread:
- Re: Automatic antispoofing rules on access servers. LOS Ralph (Sep 19)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)
- Re: Automatic antispoofing rules on access servers. Crist Clark (Sep 20)
- <Possible follow-ups>
- Re: Automatic antispoofing rules on access servers. Jeffrey Karpenko (Sep 20)
- Re: Automatic antispoofing rules on access servers. Leon Rosenstein (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)