Vixie
Sent: Sunday, March 07, 2004 3:22 PM
To: [EMAIL PROTECTED]
Subject: Re: Source address validation
[two responses here]
1 of 2
[EMAIL PROTECTED] (fingers) writes:
why is DDoS the only issue mentioned wrt source address validation?
i'm sure there's other reasons
From: Paul Vixie [EMAIL PROTECTED]
Date: 08 Mar 2004 06:35:16 +
[EMAIL PROTECTED] (Ken Diliberto) writes:
[...snip...]
We're now blocking all SMTP traffic leaving the campus from non-blessed
sources (read mail servers). The first day doing this we had comments
about less
On Mon, Mar 08, 2004 at 12:40:18AM -0500, Sean Donelan wrote:
No. The work you've done is expected of you, as a good Internetwork
neighbour.
If you're not a good neighbour, next time you need my help, or the help
of anyone else I know, please expect the finger.
But I keep trying to do
Here is some insight on this issue
What is Unicast Reverse Path Forwarding (uRPF)? Can a default route 0.0.0.0/0 be used to perform a uRPF check?
http://www.cisco.com/warp/public/105/44.html#Q18
-Henry
Christopher L. Morrow wrote:
2. I've not seen large networks talking about their awful
experiences with SAV.
it melts routers, good enough for you? Specifically it melts linecards :(
my experience is only on Cisco equipment though, so the linecard/ios/rev
games must be played. If you
On Mon, 8 Mar 2004, Steve Francis wrote:
That was exactly what I was doing by saying I will only get service from
ISPs that run loose-uRPF in cores. (or all edges, including peering links.)
I will not take service from ISP X, who is cheaper than ISP Y, if ISP X
cannot assure me that I will
Sean Donelan wrote:
On Mon, 8 Mar 2004, Steve Francis wrote:
That was exactly what I was doing by saying I will only get service from
ISPs that run loose-uRPF in cores. (or all edges, including peering links.)
I will not take service from ISP X, who is cheaper than ISP Y, if ISP X
cannot
On Sun, Mar 07, 2004 at 02:13:38AM -0500, Sean Donelan wrote:
Try saying that after running a major DDoS target, with HIT ME your
forehead.
No offense Sean but I'd like you to back your claim up with some
impirical data first.
Has the number of DDOS attacks increased or decreased in
just a question
why is DDoS the only issue mentioned wrt source address validation?
i'm sure there's other reasons to make sure your customers can't send
spoofed packets. they might not always be as news-worthy, but i feel it's
a provider's duty to do this. it shouldn't be optional (talking
fingers wrote:
just a question
why is DDoS the only issue mentioned wrt source address validation?
i'm sure there's other reasons to make sure your customers can't send
spoofed packets. they might not always be as news-worthy, but i feel it's
a provider's duty to do this. it shouldn't be
SD Date: Sat, 6 Mar 2004 22:04:58 -0500 (EST)
SD From: Sean Donelan
SD Would you rather ISPs spend money to
SD 1. Deploying S-BGP?
SD 2. Deploying uRPF?
SD 3. Respond to incident reports?
Let's look at the big picture instead of a taking a shallow mutex
approach.
If SAV were
SD Date: Sun, 7 Mar 2004 02:13:38 -0500 (EST)
SD From: Sean Donelan
SD Has the number of DDOS attacks increased or decreased in the
SD last few years has uRPF has become more widely deployed?
Number of life guards on duty increases in the summer. So does
drowning. Therefore, having life
On Sun, 2004-03-07 at 11:08, fingers wrote:
just a question
why is DDoS the only issue mentioned wrt source address validation?
uRPF, strict mode, is how I control 1000+ DSL pvc's from leaking private
address space via broken NAT. Also, all other customer facing interfaces
run uRPF, strict
actually, it would. universal uRPF would stop some attacks, and it would
remove a plan B option for some attack-flowcharts. i would *much* rather
play defense without facing this latent weapon available to the offense.
I'm agreeing here, okay (yet anoter) example.. smurf attacks. These seem
On Sun, 7 Mar 2004, Avleen Vig wrote:
On Sun, Mar 07, 2004 at 02:13:38AM -0500, Sean Donelan wrote:
Try saying that after running a major DDoS target, with HIT ME your
forehead.
No offense Sean but I'd like you to back your claim up with some
impirical data first.
Has the
On Sun, 7 Mar 2004, fingers wrote:
just a question
why is DDoS the only issue mentioned wrt source address validation?
its easier to discuss than other things... for instance the number of
broken vpn/nat systems out there that uRPF will break. Also, the folks
with private addressed cores
On Sun, 7 Mar 2004, Laurence F. Sheldon, Jr. wrote:
fingers wrote:
just a question
why is DDoS the only issue mentioned wrt source address validation?
i'm sure there's other reasons to make sure your customers can't send
spoofed packets. they might not always be as news-worthy,
On Sun, 7 Mar 2004, Stephen J. Wilcox wrote:
actually, it would. universal uRPF would stop some attacks, and it would
remove a plan B option for some attack-flowcharts. i would *much* rather
play defense without facing this latent weapon available to the offense.
I'm agreeing here,
On Sun, 7 Mar 2004, E.B. Dreger wrote:
If SAV were universal (ha ha ha!), one could discount spoofed
traffic when analyzing flows. But, hey, why bother playing nice
and helping other networks, eh?
SAV doesn't tell you where the packets came from. At best SAV tells you
where the packets
[two responses here]
1 of 2
[EMAIL PROTECTED] (fingers) writes:
why is DDoS the only issue mentioned wrt source address validation?
i'm sure there's other reasons to make sure your customers can't send
spoofed packets. ...
yes. for example, most forms of dns cache pollution
On Sun, Mar 07, 2004 at 08:28:53PM +, Christopher L. Morrow wrote:
Without any data to back this up, I'm estimating based on the attacks
I've dealt with.
I don't believe the number have gone down at all. If it has, it's done
that for someone else, not me,
Is this attacks on 'known
smurf attacks are far from 'non-existent' today, however they are not as
popular as in 1999-2000-2001.
thats interesting, i've not seen/heard of one for ages.. (guess u have a wider
testing ground :)
In fact netscan.org still shows almost 9k networks that are 'broken'.
actually i just ran
[EMAIL PROTECTED] (Sean Donelan) writes:
SAV doesn't tell you where the packets came from. At best SAV tells you
where the packets didn't come from.
...which is incredibly more valuable than not knowing anything at all.
You would be wrong. There are networks that have deployed SAV/uRPF.
removed paul from the direct reply since his mailserver doesn't like uunet
mail servers :)
On Sun, 7 Mar 2004, Stephen J. Wilcox wrote:
smurf attacks are far from 'non-existent' today, however they are not as
popular as in 1999-2000-2001.
thats interesting, i've not seen/heard of one for
On Sun, 7 Mar 2004, Paul Vixie wrote:
in the therefore-unreal world i live in, the ability to tell a GWF (goober
with firewall) that the incident report they sent our noc could not possibly
have come from here, is a net cost savings over having to prove it every time.
Of course, some people
SD Date: Sun, 7 Mar 2004 16:17:50 -0500 (EST)
SD From: Sean Donelan
SD SAV doesn't tell you where the packets came from. At best
SD SAV tells you where the packets didn't come from.
If SAV were universal, source addresses could not be spoofed. If
source addresses could not be spoofed...
SD
SD Date: Sun, 7 Mar 2004 17:47:09 -0500 (EST)
SD From: Sean Donelan
SD In practice, GWF's ... send reports about packets which have
SD our IP addresses, but didn't originate here. The last thing
Probably because someone else failed to implement SAV. If
$origin_net prevented spoofing your IP
On Mon, 8 Mar 2004, E.B. Dreger wrote:
SD Date: Sun, 7 Mar 2004 16:17:50 -0500 (EST)
SD From: Sean Donelan
SD SAV doesn't tell you where the packets came from. At best
SD SAV tells you where the packets didn't come from.
If SAV were universal, source addresses could not be spoofed. If
CLM Date: Mon, 8 Mar 2004 01:32:51 + (GMT)
CLM From: Christopher L. Morrow
CLM in a perfect world yes[...]
CLM Until this is a default behaviour and you can't screw it up
CLM (ala directed-broadcast) this will be something we all have
CLM to deal with.
Yes. But the only way we'll get
On Mon, 8 Mar 2004, E.B. Dreger wrote:
SD They saw no _net_ savings.
SD
SD In the real world, it costs more to deploy and maintain
SD SAV/uRPF.
The benefit is to other networks. When other networks make your
life easier, you benefit.
This confirms my statement. You save nothing by
Sean Donelan wrote:
On Mon, 8 Mar 2004, E.B. Dreger wrote:
SD They saw no _net_ savings.
SD
SD In the real world, it costs more to deploy and maintain
SD SAV/uRPF.
The benefit is to other networks. When other networks make your
life easier, you benefit.
This confirms my statement.
How much do
On Sun, 7 Mar 2004, Sean Donelan wrote:
This confirms my statement. You save nothing by deploying SAV on your
network.
This isnt the point. The point is, why should others suffer the burden of
your clients spewing bogon/spoofed/nonsense garbage at them?
The effect is cumulative. If everyone
SD Date: Sun, 7 Mar 2004 21:24:44 -0500 (EST)
SD From: Sean Donelan
SD This confirms my statement. You save nothing by deploying
SD SAV on your network. There may be some indeterminate benefit
Unless, of course, the traffic originated from your network and
it simplifies your backtrace.
On Sun, Mar 07, 2004 at 09:24:44PM -0500, Sean Donelan wrote:
On Mon, 8 Mar 2004, E.B. Dreger wrote:
SD They saw no _net_ savings.
SD
SD In the real world, it costs more to deploy and maintain
SD SAV/uRPF.
[snip]
In the real word, there are different networks with different
tools and
On Sun, Mar 07, 2004 at 09:24:44PM -0500, Sean Donelan wrote:
If you want others to help you, help them.
I've already done my part. I'm still waiting for others to help me.
Should I be expecting a check in the mail?
No. The work you've done is expected of you, as a good Internetwork
[EMAIL PROTECTED] (vijay gill) writes:
Putting rubber to the road eventually, we actually went ahead and
packetfiltered rfc1918 space on our edge. I know paul and stephen
will be crowing with joy here, as we had several arguments about
it in previous lives, ...
fwiw, in retrospect you were
[EMAIL PROTECTED] (Dan Hollis) writes:
...
This isnt the point. The point is, why should others suffer the burden of
your clients spewing bogon/spoofed/nonsense garbage at them?
when i found out that two e-mail based service companies who had been
acquired by yahoo had stopped doing
On Sun, 7 Mar 2004, Avleen Vig wrote:
No. The work you've done is expected of you, as a good Internetwork
neighbour.
If you're not a good neighbour, next time you need my help, or the help
of anyone else I know, please expect the finger.
But I keep trying to do good work; and you keep giving
Sean Donelan wrote:
On Sun, 7 Mar 2004, E.B. Dreger wrote:
SAV doesn't take long to implement. Considering the time spent
discounting spoofing when responding to incidents, I think there
would be a _net_ savings (no pun intended) in time spent
responding to incidents.
You would be wrong.
[EMAIL PROTECTED] (Sean Donelan) writes:
If you're not a good neighbour, next time you need my help, or the help
of anyone else I know, please expect the finger.
But I keep trying to do good work; and you keep giving me the finger. Why
should I keep trying to do good work? Remember it
[EMAIL PROTECTED] (Ken Diliberto) writes:
Where do you draw the line between large and not large? Does a
university with a /16 count as large? We do both SAV and a version of
uRPF. It makes our network run better, saves us money (reduces the
amount of time we spend on support and makes
--On 06 March 2004 18:39 -0500 Sean Donelan [EMAIL PROTECTED] wrote:
Source address validation (or Cisco's term uRPF) is perhaps more widely
deployed than people realize. Its not 100%, but what's interesting is
despite its use, it appears to have had very little impact on DDOS or
lots of other
After all these years, perhaps its time to re-examine the assumptions.
it's always fun and useful to re-example assumptions. for example, anyone
who assumes that because the attacks they happen to see, or the attacks
they hear about lately, don't use spoofed source addresses -- that spoofing
On Sun, 7 Mar 2004, Paul Vixie wrote:
don't be lulled into some kind of false sense of security by the fact
that YOU are not seeing spoofed packets TODAY. let's close the doors we
CAN close, and give attackers fewer options.
sadly the prevailing thought seems to be 'we cant block every
On Sun, 7 Mar 2004, Paul Vixie wrote:
don't be lulled into some kind of false sense of security by the fact
that YOU are not seeing spoofed packets TODAY. let's close the doors we
CAN close, and give attackers fewer options.
I don't have a false sense of security. We have lots of open doors
Sean Donelan wrote:
Would you rather ISPs spend money to
1. Deploying S-BGP?
2. Deploying uRPF?
3. Respond to incident reports?
Why are we limited to that set?
On Sat, 6 Mar 2004, Dan Hollis wrote:
sadly the prevailing thought seems to be 'we cant block every exploit so
we will block none'. this (and others) are used as an excuse to not deploy
urpf on edge interfaces facing singlehomed customers.
This is one of the few locations SAV/uRPF
...
buying screen doors for igloos may not be the best use of resources. uRPF
doesn't actually prevent any attacks.
actually, it would. universal uRPF would stop some attacks, and it would
remove a plan B option for some attack-flowcharts. i would *much* rather
play defense without facing
On Sat, Mar 06, 2004 at 06:39:21PM -0500, Sean Donelan wrote:
Source address validation (or Cisco's term uRPF) is perhaps more widely
deployed than people realize. Its not 100%, but what's interesting is
despite its use, it appears to have had very little impact on DDOS or
lots of other bad
On Sat, 6 Mar 2004, Avleen Vig wrote:
On Sat, Mar 06, 2004 at 06:39:21PM -0500, Sean Donelan wrote:
Source address validation (or Cisco's term uRPF) is perhaps more widely
deployed than people realize. Its not 100%, but what's interesting is
despite its use, it appears to have had very
[EMAIL PROTECTED] (Sean Donelan) writes:
How many exploits does uRPF block?
that's hard to measure since we end up not receiving those. but one can
assume that spoofed-source attacks aren't tried, either because (1) it's
easier to just use a high number of windows-xp drones, or because of (2)
[EMAIL PROTECTED] (Sean Donelan) writes:
Try saying that after running a major DDoS target, with HIT ME your
forehead. No offense Sean but I'd like you to back your claim up with
some impirical data first.
Has the number of DDOS attacks increased or decreased in the last few
years has
On 7 Mar 2004, Paul Vixie wrote:
[EMAIL PROTECTED] (Sean Donelan) writes:
Try saying that after running a major DDoS target, with HIT ME your
forehead. No offense Sean but I'd like you to back your claim up with
some impirical data first.
Has the number of DDOS attacks increased or
53 matches
Mail list logo
