Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]
❦ 26 septembre 2016 09:14 CEST, valdis.kletni...@vt.edu : >> Linux: >> From /etc/sysctl.conf: >> >> # Uncomment the next two lines to enable Spoof protection (reverse-path=20 >> # filter) >> # Turn on Source Address Verification in all interfaces to >> # prevent some spoofing attacks >> net.ipv4.conf.default.rp_filter=1 >> net.ipv4.conf.all.rp_filter=1 Only "all" is needed since the kernel will use the max of all and the current interface value. >> Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a >> thing on Linux. > > See net/ipv6/netfilter/ip6t_rpfilter.c > > Also, note that a lot of net.ipv4.conf variables also apply to ipv6 (though > checking the source tree, this isn't one of them, unless it's via a macro > that > some quick grepping didn't find...) Yes, it doesn't apply. In Linux, there is no such thing as feature parity for IPv6. davem said in the past that he didn't want this feature in IPv6 and was planning to remove it in IPv4 (but I think this will never happen): http://www.spinics.net/lists/netdev/msg166280.html I am using this instead (assuming ip46tables is iptables + ip6tables): ip46tables -t raw -N RPFILTER ip46tables -t raw -A RPFILTER -m rpfilter -j RETURN iptables -t raw -A RPFILTER -d 255.255.255.255 -p udp --sport bootpc --dport bootps -j RETURN ip6tables -t raw -A RPFILTER -m rpfilter --accept-local -m addrtype --dst-type MULTICAST -j DROP ip46tables -t raw -A RPFILTER -m limit --limit 5/s --limit-burst 5 \ -j NFLOG --nflog-group 99 \ --nflog-prefix "NF: rpfilter: " ip46tables -t raw -A RPFILTER -j DROP ip46tables -t raw -A PREROUTING -j RPFILTER -- Use data arrays to avoid repetitive control sequences. - The Elements of Programming Style (Kernighan & Plauger)
Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]
On Sun, 25 Sep 2016 21:19:31 -0700, Hugo Slabbert said: > Linux: > From /etc/sysctl.conf: > > # Uncomment the next two lines to enable Spoof protection (reverse-path=20 > # filter) > # Turn on Source Address Verification in all interfaces to > # prevent some spoofing attacks > net.ipv4.conf.default.rp_filter=1 > net.ipv4.conf.all.rp_filter=1 > > Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a > thing on Linux. See net/ipv6/netfilter/ip6t_rpfilter.c Also, note that a lot of net.ipv4.conf variables also apply to ipv6 (though checking the source tree, this isn't one of them, unless it's via a macro that some quick grepping didn't find...) pgptJL_xNvOlh.pgp Description: PGP signature
BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]
On Sun 2016-Sep-25 15:59:15 -0700, Stephen Satchell wrote: On 09/25/2016 07:32 AM, Jay R. Ashworth wrote: From: "Jay Farrell via NANOG" And of course Brian Krebs has a thing or two to say, not the least is which to push for BCP38 (good luck with that, right?). https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ Well, given how few contributions we've gotten at bcp38.info in the last, what, 4 years, yeah, I guess so... Yeah, right. I looked at BCP38.info, and there is very little concrete information. I've been slogging through the two RFCs, 2827 and 3794, and find it tough sledding to extract the nuggets to put into my firewall and routing table. One of the more interesting new additions to my systems is this, to the routing tables: ### snip ### In short, I have yet to see a "cookbook" for BGP38 filtering, for ANY filtering system -- BSD, Linux, Cisco. I am guilty of not yet contributing cookbook-type info to BCP38.info, but: Cisco: http://www.bcp38.info/index.php/HOWTO:Cisco points at http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html Juniper: https://www.juniper.net/documentation/en_US/junos14.2/topics/usage-guidelines/interfaces-configuring-unicast-rpf.html http://www.juniper.net/documentation/en_US/junos15.1/topics/topic-map/unicast-rpf.html Linux: From /etc/sysctl.conf: # Uncomment the next two lines to enable Spoof protection (reverse-path # filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a thing on Linux. For a belt-and-suspenders approach: If you're running an edge network and not transiting traffic for any other AS, consider using your assigned aggregates prefix lists to filter on egress on your edge for anything not sourced from those aggregates. I'm curious as to the deployment scope and experiences of various sizes of networks in deploying the following: 1. Strict uRPF on customer-facing ports on edge networks 2. Source address filtering on upstream edge egress based on assigned aggregates 3. Destination address filtering on upstream edge ingress based on assigned aggregates -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal signature.asc Description: PGP signature
