So, what you say comes down to the point that it should be done on the customers' premises and not in the ISP's network... If you extend this philosophy a bit further to the end users, we'd live in a heavenly internetworks :-) But...
Ramin On Tue, Mar 26, 2002 at 10:36:23AM -0600, Daniel F. Chief Security Engineer - wrote: > I do not know how many of you also subscribe to NANOG, but they covered this > topic in detail a few months ago. The problem is there is not a router > capable of filtering at line speed above OC3 speeds, is what alot of admins > were saying. So you have to do this where you can. I personally do it on the > firewalls before it ever gets to my Edge router as we have a couple of OC3's > and it can have a real effect on the router to have an access list on a link > pushing 100+ Mbs. > > As for specifics on what Im doing. > > For instance I block UDP inbound/outbound to port 80. and send a port > unreachable if someone tries this. However it would be a simple thing for > someone off my network to abuse this so you have to make sure you put a limit > on the number of packets you send for the outbound packets. Or someone could > use your firewall to hit someone else with a ton of ICMP packets all it would > take is a spoofed UDP flood. : ) > > Since we are a large ISP/Webhosting company I try to do every thing I can to > be a good net citizen. > > Thanks > > > On Monday 25 March 2002 07:46 pm, Ramin Alidousti wrote: > > On Mon, Mar 25, 2002 at 05:30:46PM -0800, Rob Finneran wrote: > > > Good topic. > > > > > > I've read a CERT that states that ISP should practice being good net > > > citizen by not allowing packets with spoofed IP addresses to leave there > > > networks. > > > > It's easier said than done. First of all, it should be done on the edge, > > otherwise a transit network cannot distinguish between a spoofed or a > > valid transit packet; secondly just imagine what the impact would be to > > filter on oc12 or 48 or even 192 interfaces... Another point is that not > > all spoofed packets are from different ISP's or even segments of an ISP, so > > there is still possibility for a spoofer to spoof... > > > > But in general, I agree, spoofed packets should get identified and dropped > > as early as possible, ideally on the very first hop. > > > > Ramin > > > > > Maybe I'm a little naive, but if everyone did this, wouldn't this prevent > > > the majority of hack attacks? > > > > > > Rob > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel F. Chief > > > Security Engineer - > > > Sent: Monday, March 25, 2002 2:31 PM > > > To: Netfilter - Mail list > > > Subject: Being a good netezen, with iptables. > > > > > > > > > This may be more philosophical than technical. > > > > > > I have several gateway firewalls using iptables : ) > > > > > > Big ones each one can see at peak around 100+ Mbs. I have many rules for > > > ports that are filtered to REJECT with am ICMP port or host unreachable. > > > From > > > time to time I get e-mails from other _admins_ saying "Your IP > > > xxx.xxx.xxx.xxx is attacking us" some of them include packet logs > > > showing the ICMP packets coming from my firewall. So basically I tell > > > them to check out their own system as I know my firewalls are secure(of > > > course i check them > > > out every time because Im paranoid). Telling them that it is possible > > > that some one spoofed their IP while sending me packets. But it could be > > > port scanners who may own the other guys box or have an account there > > > which allows > > > them to portscan. > > > > > > By using the REJECTS to me seems it would possibly draw attention to > > > these systems that are doing such naughty things when a netadmin > > > hopefully sees the > > > potentially hundreds of ICMP port unreachable coming in to his network > > > headed > > > for one machine. I know I have filters setup to see this kind of stuff > > > and alert me to the possibility of a compromised machine. > > > > > > Im not trying to start a _Holy_war_ between DROP and REJECT fans, Just > > > wondering what the consenses is here. What should a good netezen do these > > > days. > > > > > > TIA > > > > > > > > > -- > > > Chief Security Engineer | Daniel Fairchild [EMAIL PROTECTED] > > > Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. > > -- > Chief Security Engineer | Daniel Fairchild [EMAIL PROTECTED] > Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. > >
