Morda vas bo zanimalo tudi to:
From: Daniel Karrenberg <[EMAIL PROTECTED]>
To: RIPE Mailing List <[EMAIL PROTECTED]>
Subject: Proposal for a RIPE "IP Spoofing" Task Force
List-Id: General announcements / discussions about RIPE <ripe-list.ripe.net>
Dear colleagues,
unfortunately DoS amplification attacks are still with us. There are
indications that the damage caused by such attacks is increasing;
certainly their visibility has increased recently. The only way to
effectively stop amplification attacks is to prevent IP source address
spoofing. Without spoofing there is no amplification and no obfuscation
of the real source of DoS attack traffic. RIPE needs to encourage
operators to prevent IP source address spoofing. Hence I propose to
establish an "IP Spoofing" task force.
I include a document outlining the motivation for the task force, a
proposed charter and a proposed time-line; it also has a refeerence list
that can be used to as a starting point to learn more.
In order to collect suggestions and gather people working on the task
force, I propose a BoF session at RIPE-52. Tuesday around 17:15 after
the plenary and before the social is a good time. If you are interested
I will see you there. If you would like to help but you will not be in
Istanbul, please contact me off-list with specifics of what you can
contribute. I am specifically looking for people from equipment vendors
who can provide how-to documents and network operators who can relate
deployment experiences.
Daniel
Proposal for a RIPE "IP Spoofing" Task Force
============================================
Daniel Karrenberg
<[EMAIL PROTECTED]>
1.0
Thu Apr 6 16:04:35 CEST 2006
Introduction
------------
IP source address spoofing is the practice of originating IP datagrams
with source addresses other than those assigned to the host of origin.
In simple words the host pretends to be some other host.
This can be exploited in various ways, most notably to execute DoS
amplification attacks which cause an amplifier host to send traffic to
the spoofed address.
There are many recommendations to prevent IP spoofing by ingress
filtering, e.g. checking source addresses of IP datagrams close to the
network edge.
Most equipment vendors support ingress filtering in some form.
Yet recently significant DoS amplification attacks have happened which
would be impossible without spoofing.
This demonstrates that ingress filtering is definitely not deployed
sufficiently. Unfortunately there are no direct benefits to an ISP that
deploys ingress filtering. Also there is a widely held belief that
ingress filtering only helps when it is universally deployed.
RIPE as an operational forum should promote deployment of ingress
filtering at the network edge by creating a task force that raises
awareness and provides indirect incentives for deployment.
Proposed Charter
----------------
This task force shall
- raise awareness about this issue among network operators,
- inform about operational methods to implement ingress filtering,
and
- seek ways to provide incentives and benefits to operators
that do implement ingress filtering.
The taskforce shall have completed its task when
- network operators cannot reasonably claim not to be aware of the issue,
- information about ways to deploy ingress filtering are readily available
and
- and any incentives it may have devised have become available.
The task force shall be disbanded when these tasks have been completed
or when there is consensus withing RIPE that completion of the tasks
is no longer realistic.
Suggested Time-Line
-------------------
RIPE-52: BoF and Establishment of Task Force
Quickly draft and publish RIPE recommendation citing existing work.
Compile How-To with (pointers to) vendor documentation and operational
experience reports.
Establish liaison with MIT ANA Spoofer Project, promote their tools.
Analyse Spoofer data for RIPE region.
RIPE-53: Published RIPE Recommendation on Ingress Filtering
Published First Edition of "Ingress Filtering How-To"
First analysis of Spoofer data.
Discuss possible incentive schemes.
Revise and extend How-To.
Devise possible incentive schemes like a "Source Address Clean"
network logo, suitable RIPE DB attributes ...
RIPE-54: Published Second Edition of "IP Source Address Filtering How-To"
Further analysis of Spoofer data for RIPE region.
Launch of any incentive scheme.
Implement incentive scheme.
Monitor progress and effectiveness.
RIPE-55: Evaluation and Disbanding of Task Force
References
----------
RFC2827
Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Address Spoofing
http://www.ietf.org/rfc/rfc2827.txt
SSAC004
Securing the Edge
http://www.icann.org/committees/security/sac004.txt
SSAC008
DNS Distributed Denial of Service (DDoS) Attacks
http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
ripe-66
RIPE Task Forces
ftp://ftp.ripe.net/ripe/docs/ripe-066.txt
MIT Spoofer Project
http://spoofer.csail.mit.edu/
_______________________________________________
lugos-list mailing list
lugos-list@lugos.si
http://liste2.lugos.si/cgi-bin/mailman/listinfo/lugos-list
