Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Sean Donelan wrote: On Mon, 8 Mar 2004, Steve Francis wrote: That was exactly what I was doing by saying I will only get service from ISPs that run loose-uRPF in cores. (or all edges, including peering links.) I will not take service from ISP X, who is cheaper than ISP Y, if ISP X cannot assure me that I will not get bogon sourced traffic on my link. Why do you care how a provider does X? Your requirement doesn't seem to be run loose-uRPF in cores, although that may be one way a provider chooses to solve the problem. You requirement is "not get bogon sourced traffic on your link." I know its tempting to tell other people how to run their networks. But specifying the solution sometimes cuts out alternative solutions which work just as well or maybe better. Correct. I was overstating my requirement. What I really want is as you described: I want assurance that any packet I receive on my proposed circuit is NOT sourced from a patently false IP address. (i.e. no packets sourced from reserved IP addresses, RFC 1918 IP addresses; addresses from blocks not yet allocated by routing registries, or addresses from blocks that are not currently being announced via BGP to the Internet.) I would also prefer that such packets be dropped as far as possible from the POP I am connected to, to minimise the chance of such packets overloading the carriers circuits into that POP. I know of no way to do this other than loose-uRPF in the core, or at least loose-uRPF on all edges, including peering connections. Can any of the operators that are arguing against loose-uRPF in the core state if they run loose uRPF on all peering connections, regardless of speed, as well as on all their edges? Or propose another way to achieve the same thing?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Mon, 8 Mar 2004, Steve Francis wrote: > That was exactly what I was doing by saying I will only get service from > ISPs that run loose-uRPF in cores. (or all edges, including peering links.) > > I will not take service from ISP X, who is cheaper than ISP Y, if ISP X > cannot assure me that I will not get bogon sourced traffic on my link. Why do you care how a provider does X? Your requirement doesn't seem to be run loose-uRPF in cores, although that may be one way a provider chooses to solve the problem. You requirement is "not get bogon sourced traffic on your link." I know its tempting to tell other people how to run their networks. But specifying the solution sometimes cuts out alternative solutions which work just as well or maybe better.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Christopher L. Morrow wrote: 2. I've not seen large networks talking about their awful experiences with SAV. it melts routers, good enough for you? Specifically it melts linecards :( my experience is only on Cisco equipment though, so the linecard/ios/rev games must be played. If you upgrade, or initially install, E3 cards a large portion of this care is not necessary though. This is a problem that could be migrated out as new equipment/capabilities hit everyone's networks. I suspect that market pressure will push things in this direction anyway over time. That was exactly what I was doing by saying I will only get service from ISPs that run loose-uRPF in cores. (or all edges, including peering links.) I will not take service from ISP X, who is cheaper than ISP Y, if ISP X cannot assure me that I will not get bogon sourced traffic on my link. What you are saying above is not a technical argument against uRPF (as you grant that there is equipment that will do uRPF at core speeds.) - its a business one. So I am giving you a business incentive to take to your managers. "Customers want this service which we cannot deliver w/o upgrades. Customers will not give us money unless we spend this money, and they will go to our competitors who have infrastructure that can do it." If your vendors cannot deliver equipment that meets your requirements to meet your customers' needs, you need to say the same thing to your vendors, and vote with dollars for those that can.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Here is some insight on this issue What is Unicast Reverse Path Forwarding (uRPF)? Can a default route 0.0.0.0/0 be used to perform a uRPF check? http://www.cisco.com/warp/public/105/44.html#Q18 -Henry
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Mon, Mar 08, 2004 at 12:40:18AM -0500, Sean Donelan wrote: > > No. The work you've done is expected of you, as a good Internetwork > > neighbour. > > If you're not a good neighbour, next time you need my help, or the help > > of anyone else I know, please expect the finger. > > But I keep trying to do good work; and you keep giving me the finger. Why > should I keep trying to do good work? Remember it works both ways. No I don't! You're a good Internet Neighbour. If I can expect you to do the right thing, you can expect it of me. And if I don't, you give me the finger instead. But don't give it to everyone, as a side of effect of wanting to just flip me off. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com (Earthlink user access only)
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Sean Donelan wrote: On Sun, 7 Mar 2004, E.B. Dreger wrote: SAV doesn't take long to implement. Considering the time spent discounting spoofing when responding to incidents, I think there would be a _net_ savings (no pun intended) in time spent responding to incidents. You would be wrong. There are networks that have deployed SAV/uRPF. They saw no _net_ savings. In the real world, it costs more to deploy and maintain SAV/uRPF. Have you noticed this thread is full of people who don't run large networks saying other people who do run networks should deploy SAV/uRPF. But there hasn't been anyone who does run large networks saying they deployed SAV/uRPF and it saved them money, made their network run better or improved the world? Where do you draw the line between large and not large? Does a university with a /16 count as large? We do both SAV and a version of uRPF. It makes our network run better, saves us money (reduces the amount of time we spend on support and makes troubled/distressed/evil/mean/nasty boxes easier to track down) and reduces backbone congestion making the network run better. Another benefit is it improves the world (betcha' were wondering if I'd squeeze all that in). We're now blocking all SMTP traffic leaving the campus from non-blessed sources (read mail servers). The first day doing this we had comments about less junk mail traffic. We block traffic we consider harmful that shouldn't leave the campus. We're trying to do our part. Any suggestions how we can do better? Ken
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Avleen Vig wrote: > No. The work you've done is expected of you, as a good Internetwork > neighbour. > If you're not a good neighbour, next time you need my help, or the help > of anyone else I know, please expect the finger. But I keep trying to do good work; and you keep giving me the finger. Why should I keep trying to do good work? Remember it works both ways.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
[EMAIL PROTECTED] (vijay gill) writes: > Putting rubber to the road eventually, we actually went ahead and > packetfiltered rfc1918 space on our edge. I know paul and stephen > will be crowing with joy here, as we had several arguments about > it in previous lives, ... fwiw, in retrospect you were right at the time, but in my defense it was only because of things neither of us could have known. given only what we actually knew and could prove, you were deadass wrong :-). -- Paul Vixie
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, Mar 07, 2004 at 09:24:44PM -0500, Sean Donelan wrote: > > If you want others to help you, help them. > > I've already done my part. I'm still waiting for others to help me. > Should I be expecting a check in the mail? No. The work you've done is expected of you, as a good Internetwork neighbour. If you're not a good neighbour, next time you need my help, or the help of anyone else I know, please expect the finger. Yes, I suppose this does sound somewhat like a cross between an old-school network, and rule by bullying. But we don't have a better way (yet). -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com (Earthlink user access only)
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, Mar 07, 2004 at 09:24:44PM -0500, Sean Donelan wrote: > On Mon, 8 Mar 2004, E.B. Dreger wrote: > > SD> They saw no _net_ savings. > > SD> > > SD> In the real world, it costs more to deploy and maintain > > SD> SAV/uRPF. [snip] In the real word, there are different networks with different tools and different gear. In some networks, it is a flip of the switch, you are done, and can move on. The direct benefit to my network is eliminating a category of crap from it. I save having to deal with that category. Yes there is other crap, but reducing the workload... reduces the workload. [snip] > has correctly deployed SAV. Even if everyone deploys SAV/uRPF > you never know when someone may misconfigure something, > so you still have to keep doing everything you were doing. You mean internally to the network? Config management must exist for a huge number of reasons. Drop the right knob in your standards and move on. I don't follow 'having to keep doing everything' when I have one less things to do. > In the mean time, you get to pay for the extra costs for deploying > SAV/uRPF in addition to doing everything you were already doing. I'm sorry your network has such huge costs for trivial changes that follow simple logic.Actually, I've lost track of how many tiers of soapboxes are involved here, so I'm not sure what level of hypothetical-vs-real this [sub]thread is tackling. I'll encourage my competators to let more crap on their networks. I'll take out the trash at the points where I can. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
SD> Date: Sun, 7 Mar 2004 21:24:44 -0500 (EST) SD> From: Sean Donelan SD> This confirms my statement. You save nothing by deploying SD> SAV on your network. There may be some indeterminate benefit Unless, of course, the traffic originated from your network and it simplifies your backtrace. Tracing flows isn't difficult, but it's more time consuming than a traceroute. SD> at some indeterminate time in the future after everyone else SD> in the world correctly implements SAV. But there is no way SD> to verify if every other network in the world has correctly SD> deployed SAV. Even if everyone deploys SAV/uRPF you never s/SAV/AS_PATH filtering and netblock adverts/ in your above statement. While technically true, it's highly disingenuous. Should providers quit filtering those simply because not everyone does it? It's extra cost with no selfish benefit, right? If you want a network to extend that courtesy to you, extend it to them. If you extend the courtesy to them, demand it in return. SD> know when someone may misconfigure something, so you still SD> have to keep doing everything you were doing. Perhaps on a lesser scale, though. There's benefit in knowing something did not originate from certain sources. SD> In the mean time, you get to pay for the extra costs for SD> deploying SAV/uRPF in addition to doing everything you were SD> already doing. Just like AS_PATH and netblock announcement filters. Just like flow monitoring. Just like chasing down spammers. Just like dealing with "pwned" systems. Just like most anything else that wouldn't be necessary in a perfect world. Also note various posters' interest in shifting costs to responsible parties. One can argue what is "reasonable", but consequences boost motivation. Perhaps if lack of certain precautions were considered [legally] negligent, failure would be the more expensive option. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, Mar 07, 2004 at 08:35:54PM +, Christopher L. Morrow wrote: > > > Here is a sticky point... There are reasons to allow 10.x.x.x sources to > transit a network. Mostly the reasons come back to 'broken' configurations > or 'broken' hardware. The reasons still equate to customer calls and > 'broken' networking fromm their perspective. I think the thing you are > actually driving at is the 'intent' of the packet, which is quite tough > for the router to determine. Putting rubber to the road eventually, we actually went ahead and packetfiltered rfc1918 space on our edge. I know paul and stephen will be crowing with joy here, as we had several arguments about it in previous lives, but having gone ahead and filtered it, nothing appears to have broken, or at least nothing got called in. We've been doing it for several months now. /vijay
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Sean Donelan wrote: > This confirms my statement. You save nothing by deploying SAV on your > network. This isnt the point. The point is, why should others suffer the burden of your clients spewing bogon/spoofed/nonsense garbage at them? The effect is cumulative. If everyone takes this lazy apathetic approach to network administration, it hurts everyone. Its the difference between being a good neighbor and being the fat beerbelly neighbor with dogs barking all night and rusting camaro with no tires up on cinderblocks on his beercan littered lawn. Just because everyone else doesnt maintain a good network doesnt mean you shouldnt. -Dan
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Sean Donelan wrote: On Mon, 8 Mar 2004, E.B. Dreger wrote: SD> They saw no _net_ savings. SD> SD> In the real world, it costs more to deploy and maintain SD> SAV/uRPF. The benefit is to other networks. When other networks make your life easier, you benefit. This confirms my statement. How much do you save by putting handrails on your stairways? Restrooms in you lobby? Precipitators on your smoke stacks?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Mon, 8 Mar 2004, E.B. Dreger wrote: > SD> They saw no _net_ savings. > SD> > SD> In the real world, it costs more to deploy and maintain > SD> SAV/uRPF. > > The benefit is to other networks. When other networks make your > life easier, you benefit. This confirms my statement. You save nothing by deploying SAV on your network. There may be some indeterminate benefit at some indeterminate time in the future after everyone else in the world correctly implements SAV. But there is no way to verify if every other network in the world has correctly deployed SAV. Even if everyone deploys SAV/uRPF you never know when someone may misconfigure something, so you still have to keep doing everything you were doing. In the mean time, you get to pay for the extra costs for deploying SAV/uRPF in addition to doing everything you were already doing. http://www.rhyolite.com/anti-spam/you-might-be.html > If you want others to help you, help them. I've already done my part. I'm still waiting for others to help me. Should I be expecting a check in the mail?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
CLM> Date: Mon, 8 Mar 2004 01:32:51 + (GMT) CLM> From: Christopher L. Morrow CLM> in a perfect world yes[...] CLM> Until this is a default behaviour and you can't screw it up CLM> (ala directed-broadcast) this will be something we all have CLM> to deal with. Yes. But the only way we'll get there is 1) a flag day or 2) if we gradually work in that direction. CLM> it melts routers, good enough for you? Specifically it CLM> melts linecards :( :-( CLM> This is a problem that could be migrated out as new CLM> equipment/capabilities hit everyone's networks. I suspect CLM> that market pressure will push things in this direction CLM> anyway over time. ...and hopefully will be safe-by-default. Anyone who has multihomed downstreams should be clued enough to disable strict SAV as needed -- similar to, yet the opposite of, manually configuring OSPF to treat interfaces as passive by default. As for low-end routers, uRPF is supported on 26xx. I don't know about a 16xx or 25xx... a scary thought, but chances are such a router would have a very small list of reachable netblocks to check. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Mon, 8 Mar 2004, E.B. Dreger wrote: > > SD> Date: Sun, 7 Mar 2004 16:17:50 -0500 (EST) > SD> From: Sean Donelan > > > SD> SAV doesn't tell you where the packets came from. At best > SD> SAV tells you where the packets didn't come from. > > If SAV were universal, source addresses could not be spoofed. If > source addresses could not be spoofed... in a perfect world yes, for today we still have LOTS of folks that firewall in one direction only. A great example of this is the great firewall of China :( How, if they are filtering every packet that leaves their country, can I still get attacked from them? :( Until this is a default behaviour and you can't screw it up (ala directed-broadcast) this will be something we all have to deal with. > > SD> Have you noticed this thread is full of people who don't run > SD> large networks saying other people who do run networks should > SD> deploy SAV/uRPF. > > 1. SAV is most effective at the edge, which often implies the >smaller networks should be doing it excellent, the original point of the conversation has been satisfied... uRPF for the core is not a good plan, edge networks are a great place for this. Doing this on single homed customers is a great step in the right direction. However, as you say, the best place for this is on the edge of the network. So this implies that each edge LAN router will/should have uRPF or atleast an acl permitting only local LAN traffic to source from it, right? I have a question, I wonder if uRPF works on low end platforms without running CEF? Do all low-end platforms gracefully support CEF along with the other things enterprises typically do on routers? (just a question really...) > > 2. I've not seen large networks talking about their awful >experiences with SAV. > it melts routers, good enough for you? Specifically it melts linecards :( my experience is only on Cisco equipment though, so the linecard/ios/rev games must be played. If you upgrade, or initially install, E3 cards a large portion of this care is not necessary though. This is a problem that could be migrated out as new equipment/capabilities hit everyone's networks. I suspect that market pressure will push things in this direction anyway over time.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
SD> Date: Sun, 7 Mar 2004 16:17:50 -0500 (EST) SD> From: Sean Donelan SD> SAV doesn't tell you where the packets came from. At best SD> SAV tells you where the packets didn't come from. If SAV were universal, source addresses could not be spoofed. If source addresses could not be spoofed... SD> You would be wrong. There are networks that have deployed SD> SAV/uRPF. Some. I said "all". SD> They saw no _net_ savings. SD> SD> In the real world, it costs more to deploy and maintain SD> SAV/uRPF. The benefit is to other networks. When other networks make your life easier, you benefit. If you want others to help you, help them. SD> Have you noticed this thread is full of people who don't run SD> large networks saying other people who do run networks should SD> deploy SAV/uRPF. 1. SAV is most effective at the edge, which often implies the smaller networks should be doing it 2. I've not seen large networks talking about their awful experiences with SAV. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
removed paul from the direct reply since his mailserver doesn't like uunet mail servers :) On Sun, 7 Mar 2004, Stephen J. Wilcox wrote: > > smurf attacks are far from 'non-existent' today, however they are not as > > popular as in 1999-2000-2001. > > thats interesting, i've not seen/heard of one for ages.. (guess u have a wider > testing ground :) > just last week we had one... they do still happen. > > In fact netscan.org still shows almost 9k networks that are 'broken'. > > actually i just ran that file thro a quick awk and sort to see to what extent > these networks exist.. > > as you can see almost all only reply two or three times, not like in the old > days with >100 replies being commonplace.. > Sure, but a list of 9k networks with this leve of response is still enough to do damage. It's getting better, no doubt about it but it's still a factor. --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
> smurf attacks are far from 'non-existent' today, however they are not as > popular as in 1999-2000-2001. thats interesting, i've not seen/heard of one for ages.. (guess u have a wider testing ground :) > In fact netscan.org still shows almost 9k networks that are 'broken'. actually i just ran that file thro a quick awk and sort to see to what extent these networks exist.. as you can see almost all only reply two or three times, not like in the old days with >100 replies being commonplace.. 5224 2 1834 3 897 4 334 5 167 6 56 7 19 8 15 9 7 10 11 11 6 12 3 13 6 14 1 15 1 16 4 17 5 18 1 23 1 26 1 28 1 100
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, Mar 07, 2004 at 08:48:00PM +, Christopher L. Morrow wrote: > > > actually, it would. universal uRPF would stop some attacks, and it would > > > remove a "plan B" option for some attack-flowcharts. i would *much* rather > > > play defense without facing this latent weapon available to the offense. > > > > I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem to be > > non-existent these days so shall we stop disabling 'ip directed-broadcast' on > > our routers? > > smurf attacks are far from 'non-existent' today, however they are not as > popular as in 1999-2000-2001. In fact netscan.org still shows almost 9k > networks that are 'broken'. A few of us tried (like netscan, only more agressively on a weekly basis) to find and try to get closed, smurf amplifiers in the RIPE region. We eventually gave up after closing ~20k, when the last few k refused to do anything at all. "My network is just a /30! Who cares, you're only getting TWO replies back for ONE packet, it's not like the big amplifiers! I'm not going to fix this!". To anyone with this attitude: You are an idiot. -- Avleen Vig Systems Administrator
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, Mar 07, 2004 at 08:28:53PM +, Christopher L. Morrow wrote: > > Without any data to back this up, I'm estimating based on the attacks > > I've dealt with. > > I don't believe the number have gone down at all. If it has, it's done > > that for someone else, not me, > > Is this attacks on 'known magnets' or 'random stuff'. From what I've seen > the frequency of attacks on 'all customers' seems to be slowing SOME. > There are the normal nuisance points which attract attacks for whichever > reason. So, Avleen, can you seperate the 'known magnets' from 'random > stuff' and say which direction the trend is moving? If we class "popular websites", "servers / networks at major ISPs", "IRC servers" and "the latest popular thing" as magnets, and "small business sites", "personal pages" etc as the random stuff, then I don't believe attacks on magnets have gone down at all. On the random stuff I cannot comment, as I've had surprisingly little dealing with that. > As to the 'strength' of attacks. It seems that bandwidth and pps rates > have incresed over time. This COULD BE because you can own up 10,000 xp > machines in a heartbeat, or it could be a reflection of > bigger/better/faster single hosts being taken over. It's hard to tell from > my end of the party :( I don't think it would be unfair to assume it is both. Again that stands to simple logic. More hosts on the internet = more potential drones. More availible global bandwidth = larger volume output from each drone. > > I don't have any evidence. Nor do I *believe* the number of attacks is > > decreasing. If anything, its staying the same or going up, as more > > people decide it's fun to take networks offline through the greater and > > greater number of compromised hosts. > > The greater number of compromisable hosts seems to be the constant in this > arguement. So, like we've said for several years, until the end station is > secured 'better' the consistency and strength of attacks will continue > that upward trend. Indeed. I believe the ISP of the end user is the party responsible here. If the ISP is allowing access through their network, they need to be responsible for the data leaving their networl which originates in their network.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, E.B. Dreger wrote: > If SAV were universal (ha ha ha!), one could discount spoofed > traffic when analyzing flows. But, hey, why bother playing nice > and helping other networks, eh? SAV doesn't tell you where the packets came from. At best SAV tells you where the packets didn't come from. > Am I the only one who's had IWFs -- even legitimate entities -- > complain about packets "from your network" that weren't? It > certainly would have been nice if $other_networks had used SAV. You still need to spend the same amount of time tracing the flows because you can't tell from the packet itself if something went wrong with SAV. Even if everyone said they did SAV (and meant it), things like uRPF rely on a number of things to work correctly. If any of those break or aren't secure, you still can't rely on the source address being accurate. Even if you deployed SAV/uRPF on 100% of your network, you probably wouldn't want to tell people about it due to the idiots with firewalls. > SAV doesn't take long to implement. Considering the time spent > discounting spoofing when responding to incidents, I think there > would be a _net_ savings (no pun intended) in time spent > responding to incidents. You would be wrong. There are networks that have deployed SAV/uRPF. They saw no _net_ savings. In the real world, it costs more to deploy and maintain SAV/uRPF. Have you noticed this thread is full of people who don't run large networks saying other people who do run networks should deploy SAV/uRPF. But there hasn't been anyone who does run large networks saying they deployed SAV/uRPF and it saved them money, made their network run better or improved the world?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Stephen J. Wilcox wrote: > > > actually, it would. universal uRPF would stop some attacks, and it would > > remove a "plan B" option for some attack-flowcharts. i would *much* rather > > play defense without facing this latent weapon available to the offense. > > I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem to be > non-existent these days so shall we stop disabling 'ip directed-broadcast' on > our routers? smurf attacks are far from 'non-existent' today, however they are not as popular as in 1999-2000-2001. In fact netscan.org still shows almost 9k networks that are 'broken'.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Laurence F. Sheldon, Jr. wrote: > > fingers wrote: > > > just a question > > > > why is DDoS the only issue mentioned wrt source address validation? > > > > i'm sure there's other reasons to make sure your customers can't send > > spoofed packets. they might not always be as news-worthy, but i feel it's > > a provider's duty to do this. it shouldn't be optional (talking > > specifically about urpf on customer interfaces, loose where needed) > > Because _Distributed_ is the hot buzzword of the day. and people offten seperate 'ddos' from 'dos', even though the end is the same as far as your customer is concerned... it's kinda funny really :) > > At least one of us thinks clean traffic is a Good Thing all the time. > > Packets that can't possibley be used for anything ought to be dumped at > the earliest possible opportunity as soon as it is apparent (or could > be if anybody looked) that they are "from" addresses that can't be > reached or have any other obviously fatal defect. Here is a sticky point... There are reasons to allow 10.x.x.x sources to transit a network. Mostly the reasons come back to 'broken' configurations or 'broken' hardware. The reasons still equate to customer calls and 'broken' networking fromm their perspective. I think the thing you are actually driving at is the 'intent' of the packet, which is quite tough for the router to determine. --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, fingers wrote: > > just a question > > why is DDoS the only issue mentioned wrt source address validation? its easier to discuss than other things... for instance the number of broken vpn/nat systems out there that uRPF will break. Also, the folks with private addressed cores that will start appearing 'broken' when traceroute/unreachables stop working across their networks... > > i'm sure there's other reasons to make sure your customers can't send > spoofed packets. they might not always be as news-worthy, but i feel it's > a provider's duty to do this. it shouldn't be optional (talking > specifically about urpf on customer interfaces, loose where needed) > I'm not sure that anyone would argue that uRPF is bad, the arguement is in it's placement. I do think that part still needs to be worked out, that and making sure that your equipment can handle the task. There are certainly some people hampered by early adoption of some technologies which they can't get out from under in any reasonable fashion. --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Avleen Vig wrote: > > On Sun, Mar 07, 2004 at 02:13:38AM -0500, Sean Donelan wrote: > > > Try saying that after running a major DDoS target, with "HIT ME" your > > > forehead. > > > No offense Sean but I'd like you to back your claim up with some > > > impirical data first. > > > > Has the number of DDOS attacks increased or decreased in the last few > > years has uRPF has become more widely deployed? > > Do you have any evidence the number of attacks are decreasing? > > Without any data to back this up, I'm estimating based on the attacks > I've dealt with. > I don't believe the number have gone down at all. If it has, it's done > that for someone else, not me, Is this attacks on 'known magnets' or 'random stuff'. From what I've seen the frequency of attacks on 'all customers' seems to be slowing SOME. There are the normal nuisance points which attract attacks for whichever reason. So, Avleen, can you seperate the 'known magnets' from 'random stuff' and say which direction the trend is moving? As to the 'strength' of attacks. It seems that bandwidth and pps rates have incresed over time. This COULD BE because you can own up 10,000 xp machines in a heartbeat, or it could be a reflection of bigger/better/faster single hosts being taken over. It's hard to tell from my end of the party :( > > I don't have any evidence. Nor do I *believe* the number of attacks is > decreasing. If anything, its staying the same or going up, as more > people decide it's fun to take networks offline through the greater and > greater number of compromised hosts. > The greater number of compromisable hosts seems to be the constant in this arguement. So, like we've said for several years, until the end station is secured 'better' the consistency and strength of attacks will continue that upward trend.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
> actually, it would. universal uRPF would stop some attacks, and it would > remove a "plan B" option for some attack-flowcharts. i would *much* rather > play defense without facing this latent weapon available to the offense. I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem to be non-existent these days so shall we stop disabling 'ip directed-broadcast' on our routers? Steve
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 2004-03-07 at 11:08, fingers wrote: > just a question > > why is DDoS the only issue mentioned wrt source address validation? uRPF, strict mode, is how I control 1000+ DSL pvc's from leaking private address space via broken NAT. Also, all other customer facing interfaces run uRPF, strict mode. It is a very powerful tool; null route some trouble causing customer space and traffic destined to this space is dropped via this null route AND traffic sourced from this space is dropped via uRPF, strict check. An AS112 NS also takes care of another facet of this problem. As to the question of DDoS'es and spoofed address space; once we close the hole of allowing DDoS'es to come from untraceable address space I feel we gain something very useful. We now know where the bad stuff is coming from. The solution to DDoS is not a black box that will go to Def Con 1 at the first sign of a port scan. You don't put out a fire with more fuel. Criminal investigation techniques are quite advanced. We cannot start to put them to use if attacks come from addresses that do not point back to the attacker. I am just as jaded as the next person with the present lack of law enforcement support in abuse issues but all of this is a quite new form of crime through a new medium. A "push back" system would give us the ability to quickly bring DDoS/DoS'es under control and complement a system to track down, gather evidence, and prosecute to persons in control of a DDoS/DoS. Based on my limited experience with all of this it seems the place for uRPF is not at the core (core in the context of the Internet backbone) but at the customer edge, where the problem starts. -- James H. Edwards Routing and Security At the Santa Fe Office: Internet at Cyber Mesa [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
SD> Date: Sun, 7 Mar 2004 02:13:38 -0500 (EST) SD> From: Sean Donelan SD> Has the number of DDOS attacks increased or decreased in the SD> last few years has uRPF has become more widely deployed? Number of life guards on duty increases in the summer. So does drowning. Therefore, having life guards on duty is not an effective measure to prevent drowning. Ice cream consumption increases in the summer. So does drowning. Therefore, it is ice cream consumption that causes drowning. (Time for arguments over who has the best and worst analogies!) SD> Do you have any evidence the number of attacks are decreasing? Is "number of attacks" the sole metric? Are all attacks created equal? Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
SD> Date: Sat, 6 Mar 2004 22:04:58 -0500 (EST) SD> From: Sean Donelan SD> Would you rather ISPs spend money to SD> 1. Deploying S-BGP? SD> 2. Deploying uRPF? SD> 3. Respond to incident reports? Let's look at the big picture instead of a taking a shallow mutex approach. If SAV were universal (ha ha ha!), one could discount spoofed traffic when analyzing flows. But, hey, why bother playing nice and helping other networks, eh? Am I the only one who's had IWFs -- even legitimate entities -- complain about packets "from your network" that weren't? It certainly would have been nice if $other_networks had used SAV. SAV doesn't take long to implement. Considering the time spent discounting spoofing when responding to incidents, I think there would be a _net_ savings (no pun intended) in time spent responding to incidents. Alas, that requires cooperation and doesn't provide instantaneous gratification. If it doesn't make/save a quick buck, why bother? Detection of sarcasm is left as an exercise to the reader. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
fingers wrote: just a question why is DDoS the only issue mentioned wrt source address validation? i'm sure there's other reasons to make sure your customers can't send spoofed packets. they might not always be as news-worthy, but i feel it's a provider's duty to do this. it shouldn't be optional (talking specifically about urpf on customer interfaces, loose where needed) Because _Distributed_ is the hot buzzword of the day. At least one of us thinks clean traffic is a Good Thing all the time. Packets that can't possibley be used for anything ought to be dumped at the earliest possible opportunity as soon as it is apparent (or could be if anybody looked) that they are "from" addresses that can't be reached or have any other obviously fatal defect.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
just a question why is DDoS the only issue mentioned wrt source address validation? i'm sure there's other reasons to make sure your customers can't send spoofed packets. they might not always be as news-worthy, but i feel it's a provider's duty to do this. it shouldn't be optional (talking specifically about urpf on customer interfaces, loose where needed)
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, Mar 07, 2004 at 02:13:38AM -0500, Sean Donelan wrote: > > Try saying that after running a major DDoS target, with "HIT ME" your > > forehead. > > No offense Sean but I'd like you to back your claim up with some > > impirical data first. > > Has the number of DDOS attacks increased or decreased in the last few > years has uRPF has become more widely deployed? > Do you have any evidence the number of attacks are decreasing? Without any data to back this up, I'm estimating based on the attacks I've dealt with. I don't believe the number have gone down at all. If it has, it's done that for someone else, not me, I don't have any evidence. Nor do I *believe* the number of attacks is decreasing. If anything, its staying the same or going up, as more people decide it's fun to take networks offline through the greater and greater number of compromised hosts. If you want to do a little test, try this: In the last 5 years, compromised hosts have become a favourite for launching DDoS attacks from. If the number of compromised hosts with outbound Internet access has gone up, then either the frequency of attacks, or the amplitude of said attacks, or both have gone UP. We all know the number of compromised hosts continues to go up. The rest is simple logic. -- Avleen Vig Systems Administrator
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, 6 Mar 2004, Avleen Vig wrote: > On Sat, Mar 06, 2004 at 06:39:21PM -0500, Sean Donelan wrote: > > Source address validation (or Cisco's term uRPF) is perhaps more widely > > deployed than people realize. Its not 100%, but what's interesting is > > despite its use, it appears to have had very little impact on DDOS or > > lots of other bad things. > > Try saying that after running a major DDoS target, with "HIT ME" your > forehead. > No offense Sean but I'd like you to back your claim up with some > impirical data first. Has the number of DDOS attacks increased or decreased in the last few years has uRPF has become more widely deployed? Do you have any evidence the number of attacks are decreasing?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, Mar 06, 2004 at 06:39:21PM -0500, Sean Donelan wrote: > Source address validation (or Cisco's term uRPF) is perhaps more widely > deployed than people realize. Its not 100%, but what's interesting is > despite its use, it appears to have had very little impact on DDOS or > lots of other bad things. Try saying that after running a major DDoS target, with "HIT ME" your forehead. No offense Sean but I'd like you to back your claim up with some impirical data first. >From experience the majority of TCP based denial of service attacks (which usually seem to be balanced with UDP, but ICMP is not as frequent as it once was), use spoofed sources. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
> ... > buying screen doors for igloos may not be the best use of resources. uRPF > doesn't actually prevent any attacks. actually, it would. universal uRPF would stop some attacks, and it would remove a "plan B" option for some attack-flowcharts. i would *much* rather play defense without facing this latent weapon available to the offense. > Would you rather ISPs spend money to > 1. Deploying S-BGP? > 2. Deploying uRPF? > 3. Respond to incident reports? "yes." and i can remember being sick and tired of competing (on price, no less) against providers who couldn't/wouldn't do #2 or #3. i'm out of the isp business at the moment, but the "race to the bottom" mentality is still a pain in my hindquarters, both present and remembered.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, 6 Mar 2004, Laurence F. Sheldon, Jr. wrote: > > Would you rather ISPs spend money to > > 1. Deploying S-BGP? > > 2. Deploying uRPF? > > 3. Respond to incident reports? > > Why are we limited to that set? You are not limited to any particular set. However you are limited. No one has infinite resources. Pick and choose the things you do, and you will discover you still do not do everything everyone wants. Create your own list of things to spend money on. Was uRPF high enough on your list before you ran out of money? Why did you choose to spend money on other security projets instead of uRPF, or the opposite why did you choose to spend money on uRPF instead of other things which would have improved security?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, 6 Mar 2004, Dan Hollis wrote: > sadly the prevailing thought seems to be 'we cant block every exploit so > we will block none'. this (and others) are used as an excuse to not deploy > urpf on edge interfaces facing singlehomed customers. This is one of the few locations SAV/uRPF consistently works. SAV/uRPF is widely (but not 100%) deployed int those location. However I think you are mis-stating the issue. I do not know of anyone that has stated your reason as the reason not to deploy SAV/uRPF on non-routing interfaces. The issue which prompt this thread was deploying uRPF on multi-path backbone interfaces using active routing. How many exploits does uRPF block? Biometric smart cards may do wonders for credit card fraud. Why don't credit card companies replace all existing cards with them? Does uRPF solve more problems than it causes, and saves more than it costs?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Sean Donelan wrote: Would you rather ISPs spend money to 1. Deploying S-BGP? 2. Deploying uRPF? 3. Respond to incident reports? Why are we limited to that set?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Paul Vixie wrote: > don't be lulled into some kind of false sense of security by the fact > that YOU are not seeing spoofed packets TODAY. let's close the doors we > CAN close, and give attackers fewer options. I don't have a false sense of security. We have lots of open doors and windows and even missing walls. Let's close the doors we can close, but buying screen doors for igloos may not be the best use of resources. uRPF doesn't actually prevent any attacks. Would you rather ISPs spend money to 1. Deploying S-BGP? 2. Deploying uRPF? 3. Respond to incident reports?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Paul Vixie wrote: > don't be lulled into some kind of false sense of security by the fact > that YOU are not seeing spoofed packets TODAY. let's close the doors we > CAN close, and give attackers fewer options. sadly the prevailing thought seems to be 'we cant block every exploit so we will block none'. this (and others) are used as an excuse to not deploy urpf on edge interfaces facing singlehomed customers. its a fatalistic approach to dealing with network abuse, and its retarded. -Dan
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
> After all these years, perhaps its time to re-examine the assumptions. it's always fun and useful to re-example assumptions. for example, anyone who assumes that because the attacks they happen to see, or the attacks they hear about lately, don't use spoofed source addresses -- that spoofing is no longer a problem, needs to re-examine that assumption. for one thing, spoofed sources could be occurring outside local viewing. for another thing, spoofed sources could be "plan B" when other attacks aren't effective. the last thing is, this is war. information warfare. the enemy knows us better than we know them, and their cost of failure is drastically lower than our cost of failure. don't be lulled into some kind of false sense of security by the fact that YOU are not seeing spoofed packets TODAY. let's close the doors we CAN close, and give attackers fewer options.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
--On 06 March 2004 18:39 -0500 Sean Donelan <[EMAIL PROTECTED]> wrote: Source address validation (or Cisco's term uRPF) is perhaps more widely deployed than people realize. Its not 100%, but what's interesting is despite its use, it appears to have had very little impact on DDOS or lots of other bad things. ... But relatively few DDOS attacks use spoofed packets. If more did, they would be easier to deal with. AIUI that's cause & effect: the gradual implementation of source-address validation has made attacks dependent on spoofing less attractive to perpetrators. Whereas the available of large pools of zombie machines has made the use of source spoofing unnecessary. Cisco et al have shut one door, but another one (some suggest labeled Microsoft) has opened. Those with long memories might draw parallels with the evolution of phreaking from abuse of the core, which became (reasonably) protected to abuse of unprotected PABXen. As I think I said only a couple of days ago, there is nothing new in the world. Alex
Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, 6 Mar 2004, Paul Vixie wrote: > (and according to that text, it was a 9-year-old idea at that time.) > > it's now 2004. how much longer do we want to have this problem? Source address validation (or Cisco's term uRPF) is perhaps more widely deployed than people realize. Its not 100%, but what's interesting is despite its use, it appears to have had very little impact on DDOS or lots of other bad things. Root and other DNS servers bear the brunt of misconfigured (not necessarily malicious attack) devices. So some people's point of view may be different. But relatively few DDOS attacks use spoofed packets. If more did, they would be easier to deal with. After all these years, perhaps its time to re-examine the assumptions.