>As always, it appears that you have the answers. Your help is very much
>appreciated. But one other thing... in reference to "Border Router: drop
>all (spoofed) packets on the outside interface from your ip block to your
>inside interface and to your ip blocks". Forgive my ignorance, but I don't
>exactly follow.
We had guy in here a couple of months ago who was getting hammered with
spam as open relay. We confidently told him how to setup Imail to stop the
relaying (relay for my local trusted ip block). He did that and said he was
still getting spammed / relayed. Relay for addresses didn't work for
him. The spam kept coming because the spammer was spoofing the Imail guy's
ip addresses. Imail alone can't defend against this. And his router was
not set up for anti-spoofing.
So the complete solution requires stopping ip spoofing at the border
router, to complement Imail's relay for addresses, so the packets that
Imail sees from its local ip's are really only from its local ip's.
A two-interface router would have the "outside" interface connected to the
backbone/upstream and the "inside" interface connected to your downtream /
local plant.
An anti-spoofing rule would paraphrase like this:
drop any packet from outside-interface my-ip-block to inside-interface
my-ip-block
Since your ip block(s) are ideally only accessible on the inside-interface
of the router, any packet from the outside-interface saying it is coming
from one of your ip blocks is a spoofed packet. drop it in the bit
bucket. The trick here is silently drop the spoofed packets, stealth mode,
without returning an error or reject msg. Not seeing any error msg, the
spam source "might" wait a timeout period before retransmitting, reducing
the work on your router. aka 'tarpitting', ie, in the face of broken or
malicious ip traffic, you respond very slowly or not at all.
You would also set up rules the RFC1918 private address space since none of
those ip' are routable, ie, they should not be leaving your private net to
the outside/public interface, and they should not be arriving from the
outside/public.
>Is this worth explaining
I hope so, I just did it. Anybody still awake??
>or do I need a class?
A lot cheaper and more productive would be to build yourself a packet
filtering router with Linux or FreeBSD and see how it works. An old P75 +
32 megs and two ISA ethernet cards would be fine. My suggestion would be
FreeBSD and ipfilter (also gives you NAT and stateful filtering). Or see
if you border router already supports packet filtering, then set up the
anti-spoofing rules.
Len
Len
http://BIND8NT.MEIway.com: ISC BIND 8 installable binary for NT4
http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
