> fine now? u can put "loose"...its NO USE!! thats what i said..there will
> always be a route to the sourceall u may drop is 10.x/192.168 and
> 172/16-31..that too if ur network isnt internally using it
Oh, and if this ends up being the case, what's wrong with that? Less RFC1918
crap
> fine now? u can put "loose"...its NO USE!! thats what i said..there will
> always be a route to the sourceall u may drop is 10.x/192.168 and
> 172/16-31..that too if ur network isnt internally using it
>
> and if u end up putting "loose" an OSPF router ull drop valid traffic if ur
>
> One of my clients is currently a victim of an over-zealous ISP
> recklessly trying to implement rpf.
Assuming the provider is doing the right thing by filtering routing
announcements, and assuming the customer has done the right thing
by informing their provider of the blocks they _might_ ann
> > Sounds like you're trying to either shoot yourself in the foot, or design a
> > new too-clever-by-half way of building a VPN.
>
> It is called a one-way ip over satellite link to places like Australia, New
> Zeland or Middle East. So it is not like we are talking about little bit of
> traffic
On Fri, 08 Nov 2002 01:55:03 +0530, alok said:
> take a simple scenario
> AS-1 , AS-2 and AS-3 and as-4
>
> AS-2 and as-3 in the middle, as-1 and as-4 multihome on them and are on
> either side of as-2 and as-3..they dont peer with each other ...(though as-2
> and as-3 mebbe)
>
> as-1 advertise
if what u mean by loose is "exist only" then yes on a bgp running router
probably the WHOLE INTERNET IS EXIST ONLY...that surely gives u enuf ips to
spoof with?? how do u block by source?
you could only know that "frrom that link between as-1 and as-2 there will
be some traffic from
If loose rpf doesn't work, you're about to start dropping packets *anyhow*.
Unless, of course, you *INTENDED* to have a topology where you're accepting
traffic from another AS and forwarding it, and you don't have a return path
yourself, but the destination *does* have an assymetric path.
Oh..
--
From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On Behalf Of
alok
Sent: Thursday, November 07, 2002 3:00 PM
To: Majdi S. Abbas; [EMAIL PROTECTED]
Subject: Re: Where is the edge of the Internet? Re: no ip
forged-source-address
On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote:
> there
> Sounds like you're trying to either shoot yourself in the foot, or design a
> new too-clever-by-half way of building a VPN.
It is called a one-way ip over satellite link to places like Australia, New
Zeland or Middle East. So it is not like we are talking about little bit of
traffic.
Alex
> Ok, so I'll respond to one more of the messages I missed yesterday.
>
> On Mon, 4 Nov 2002, Matt Buford wrote:
> > On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > > The only equipment I'm heard here which has serious issues related to
> > > feature availability is the 12000 (which was never a p
On Fri, 08 Nov 2002 01:01:33 +0530, alok said:
> there was a comment from chris saying..."never possible to knw what networks
> an bgp customer uplinks via you" which is very true.. ..so i assume u mean
> non-bgp customers? loose or strict, rpf will not work for aasymterically
> connected bgp neig
On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote:
> there was a comment from chris saying..."never possible to knw what
networks
> an bgp customer uplinks via you" which is very true.. ..so i assume u mean
> non-bgp customers? loose or strict, rpf will not work for aasymterically
> connected
On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote:
> there was a comment from chris saying..."never possible to knw what networks
> an bgp customer uplinks via you" which is very true.. ..so i assume u mean
> non-bgp customers? loose or strict, rpf will not work for aasymterically
> connected b
-
From: <[EMAIL PROTECTED]>
To: alok <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, November 08, 2002 12:41 AM
Subject: Re: Where is the edge of the Internet? Re: no ip
forged-source-address
> > I'm opposed to some of the suggestions where to put source
> > I'm opposed to some of the suggestions where to put source address
> > filters, especially placing them in "non-edge" locations. E.g. requiring
> > address filters at US border crossings is a *bad* idea, worthy of an
> > official visit from the bad idea fairy.
>
> What is bad about filtering
Ok, so I'll respond to one more of the messages I missed yesterday.
On Mon, 4 Nov 2002, Matt Buford wrote:
>
> On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > The only equipment I'm heard here which has serious issues related to
> > feature availability is the 12000 (which was never a particular
Sean puts this very nicely... I was away today so I missed the rest of the
traffic and looking it over alot of it was not relevant. I'll put in some
comments here though.
On Mon, 4 Nov 2002, Sean Donelan wrote:
>
> On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > What about the other large isps?
> I'm opposed to some of the suggestions where to put source address
> filters, especially placing them in "non-edge" locations. E.g. requiring
> address filters at US border crossings is a *bad* idea, worthy of an
> official visit from the bad idea fairy.
What is bad about filtering facing non-
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> The only equipment I'm heard here which has serious issues related to
> feature availability is the 12000 (which was never a particularly good
> aggregation device to begin with). RPF works fine on 7200, 7500, and
> 6500, from my experience. I've not u
> On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > What about the other large isps? What would it take for you to do
> > something? Chris is gracious enough to show up and participate, at
> > least even if it does mean he has to wear nomex.
>
> I'm in favor of source address filtering at the edges
At 06:18 PM 11/4/2002, Sean Donelan wrote:
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> What about the other large isps? What would it take for you to do
> something? Chris is gracious enough to show up and participate, at
> least even if it does mean he has to wear nomex.
I'm in favor of sour
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> What about the other large isps? What would it take for you to do
> something? Chris is gracious enough to show up and participate, at
> least even if it does mean he has to wear nomex.
I'm in favor of source address filtering at the edges.
I'm oppos
> On Wed, 30 Oct 2002, Charles D Hammonds wrote:
>
> > analogy games are fun, but it boils down to this... If I know the real
> > source of an attack, I can stop it within minutes. I'm sure that my
> > customers appreciate that fact. Noone will ever completely stop attacks, the
> > point is to mi
> On Wed, 30 Oct 2002 [EMAIL PROTECTED] wrote:
> RPF checking can only go so far. You would need RPF checking down to the
> host level and I haven't heard anyone discuss that yet.
Is this a reason not to do what we can now?
> -Hank
Let's start with getting it going in the right direction, at l
> On Wed, Oct 30, 2002 at 03:44:12PM +, [EMAIL PROTECTED] wrote:
>
> > Therefore, would it be a reasonable suggestion to ask router vendors to
> > source address filtering in as an option[1] on the interface and then move
> > it to being the default setting[2] after a period of time?
>
> Can
Richard:
Just my $0.02,
May not be enough money. You present a solution to an unclearly defined
problem. Never fear, the IETF has a packet sampling working group now, but
one vendor has RFC3176 sFlow today (yesterday). I've got sFlow running on
1GbE links today and I'm planning on a 10Gb
at Thursday, October 31, 2002 1:22 PM, Randy Bush <[EMAIL PROTECTED]> was
seen to say:
>> analogy games are fun, but it boils down to this... If I know the
>> real source of an attack, I can stop it within minutes.
>
> the real source of the attack is the skript kitty who zombied the
> 10,000 host
> analogy games are fun, but it boils down to this... If I know the real
> source of an attack, I can stop it within minutes.
the real source of the attack is the skript kitty who zombied the 10,000
hosts which are sourcing packets at you. the intermediate sources are the
10,000 zombies, and try
On Thu, 31 Oct 2002, Christopher L. Morrow wrote:
> I think the spoofed source filtering is more a red-herring than anything
> else. Its not the fix for anything related to this problem of attacks on
> the internet. Spoofed or non, I can forward 1,000,000pps at your network and
> it will die (most
On 10/30/02 11:26 AM, "Hank Nussbacher" <[EMAIL PROTECTED]> wrote:
> If every router in the world did this I could still use spoofed IP
> addresses and DDOS someone. My little program could determine what subnet
> I am on, check what other hosts are alive on the subnet and then when it
> decides
>
> Charles
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu]On Behalf Of
> Christopher L. Morrow
> Sent: Wednesday, October 30, 2002 10:47 PM
> To: [EMAIL PROTECTED]
> Cc: Christopher L. Morrow; [EMAIL PROTECTED]
> Subject: Re: no ip
ow; [EMAIL PROTECTED]
Subject: Re: no ip forged-source-address
On Thu, 31 Oct 2002 [EMAIL PROTECTED] wrote:
> On Thu, 31 Oct 2002 06:21:00 GMT, "Christopher L. Morrow" said:
>
> > I'm confused.. its still a DoS attack, eh??
>
> It's the difference between:
At 01:36 AM 31-10-02 -0500, [EMAIL PROTECTED] wrote:
It's the difference between:
A) Going out to your car at the end of a too-long day and finding a
broken taillight.
B) Going out to your car at the end of a too-long day and finding a
broken taillight and a business card under the windshield
On Thu, 31 Oct 2002 [EMAIL PROTECTED] wrote:
> On Thu, 31 Oct 2002 06:21:00 GMT, "Christopher L. Morrow" said:
>
> > I'm confused.. its still a DoS attack, eh??
>
> It's the difference between:
>
> A) Going out to your car at the end of a too-long day and finding a
> broken taillight.
>
> B) Go
On Thu, 31 Oct 2002 06:21:00 GMT, "Christopher L. Morrow" said:
> I'm confused.. its still a DoS attack, eh??
It's the difference between:
A) Going out to your car at the end of a too-long day and finding a
broken taillight.
B) Going out to your car at the end of a too-long day and finding a
br
riginal Message-
From: Christopher L. Morrow [mailto:chris@;UU.NET]
Sent: Thursday, October 31, 2002 1:21 AM
To: H. Michael Smith, Jr.
Cc: 'Hank Nussbacher'; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: no ip forged-source-address
On Wed, 30 Oct 2002, H. Michael Smith, Jr. wrote:
On Wed, 30 Oct 2002, H. Michael Smith, Jr. wrote:
>
> A fundamental effect of spoofing addresses from your local subnet is
> that when the packets reach their target, the source addresses are
> meaningful. I realize that the traceability of these packets has
> already been mentioned, but I wan
I was trying to keep my mouth shut... but alas that was too tough ;(
First, the ip addresses used in the attack are completely disconnected
from the problem of the attack. If you get attacked, its really not
relevant what ips are used, spoofed or not someone needs to stop it for
you. The real pro
On Wed, Oct 30, 2002 at 03:34:40PM -0600, Craig A. Huegen wrote:
>
> On Wed, Oct 30, 2002 at 09:26:30PM +0200, Hank Nussbacher wrote:
>
> ==>Traceback would get me instantly back to the offending subnet but then it
> ==>would take a bit of digging on the network admin to track me down and
> ==>a
Petri Helenius wrote:
>
> > decides to attack, it would use some neighbor's IP. The
> subnet I am
> > on is a /24 and there very well may be a few dozen hosts.
> I could be
> > real sneaky and alter my IP randomly to be any of my neighbors for
> > every packet I send out.
> >
> This gets
with meaningful vs. meaningless source addresses.
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On Behalf Of
Hank Nussbacher
Sent: Wednesday, October 30, 2002 2:27 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: no ip forged-source-address
On Wed
At 12:09 PM 10/30/2002, you wrote:
"daniel" == Daniel Senie <[EMAIL PROTECTED]> writes:
daniel> If the government or other large buyers require network-wide
daniel> ingress filtering in any supplier they buy from (something I
daniel> suggested to the folks at eBay, Schwab, etc. in our phone
dan
> decides to attack, it would use some neighbor's IP. The subnet I am on is
> a /24 and there very well may be a few dozen hosts. I could be real
> sneaky and alter my IP randomly to be any of my neighbors for every packet
> I send out.
>
This gets a lot sneakier when you got your /64 on the su
riod of time?This appeared
> to have some success with reducing the number of networks that forwarded
> broadcast packets (as with "no ip directed-broadcast").
>
> Just my $0.02,
>
>
> Richard Morrell
> edNET
>
> [1] For example, an IOS config might be:
>
&
At 12:29 PM 10/30/2002, Tony Hain wrote:
To reiterate the comment I made during the session yesterday, the places
where strict rpf will be most effective are at the very edge interfaces
without explicit management (SOHO). This also tends to be the place
where there is insufficient clue to turn i
On Wed, Oct 30, 2002 at 09:26:30PM +0200, Hank Nussbacher wrote:
==>Traceback would get me instantly back to the offending subnet but then it
==>would take a bit of digging on the network admin to track me down and
==>applying RPF checking won't help.
I think the issue we need to tackle is ensur
On Wed, Oct 30, 2002 at 09:26:30PM +0200, Hank Nussbacher wrote:
>
> Traceback would get me instantly back to the offending subnet but then it
> would take a bit of digging on the network admin to track me down and
> applying RPF checking won't help.
Sure. But do you really want to give up a 95
networks that forwarded
> broadcast packets (as with "no ip directed-broadcast").
>
> Just my $0.02,
>
>
> Richard Morrell
> edNET
>
> [1] For example, an IOS config might be:
>
> interface fastethernet 1/0
> no ip forged-source-address
>
> [2] Network admins would still have the option of turning it off, but this
> would have to be explicitly configured.
>
>
>
, an IOS config might be:
> >
> > interface fastethernet 1/0
> > no ip forged-source-address
>
> Well, this already exists, doesn't it? Try the following on your
> customer-facing interface:
>
> ip verify unicast source reachable-via rx
>
> >
to have some success with reducing the number of networks that forwarded
> broadcast packets (as with "no ip directed-broadcast").
[snip]
> [1] For example, an IOS config might be:
>
> interface fastethernet 1/0
> no ip forged-source-address
Well, this already exists,
On Wed, Oct 30, 2002 at 06:02:44PM +, [EMAIL PROTECTED] wrote:
> On Wed, 30 Oct 2002, Jesper Skriver wrote:
>
> > Cannot be done, I certainly doesn't want RPF check to be default enabled
> > on all interfaces on my routers, think for a second about asymmetric
> > routing WITHIN the ISP networ
On Wed, 30 Oct 2002, Jesper Skriver wrote:
> Cannot be done, I certainly doesn't want RPF check to be default enabled
> on all interfaces on my routers, think for a second about asymmetric
> routing WITHIN the ISP network.
Turn it off for backbone interfaces.
Regards,
Rich
in the ISP network.
Tony
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On
> Behalf Of [EMAIL PROTECTED]
> Sent: Wednesday, October 30, 2002 8:21 AM
> To: [EMAIL PROTECTED]
> Subject: Re: no ip forged-source-address
>
>
>
>
"daniel" == Daniel Senie <[EMAIL PROTECTED]> writes:
daniel> If the government or other large buyers require network-wide
daniel> ingress filtering in any supplier they buy from (something I
daniel> suggested to the folks at eBay, Schwab, etc. in our phone
daniel> calls after the attacks a few y
On Wed, 30 Oct 2002, Daniel Senie wrote:
> BCP 38 is quite explicit in the need for all networks to do their part. The
> document is quite effective provided there's cooperation.
Doesn't seem to be working.
> Which interface would you filter on?
Customer ingress ports on the ISP side, which
On Wed, Oct 30, 2002 at 03:44:12PM +, [EMAIL PROTECTED] wrote:
> Therefore, would it be a reasonable suggestion to ask router vendors to
> source address filtering in as an option[1] on the interface and then move
> it to being the default setting[2] after a period of time?
Cannot be done, I
At 10:44 AM 10/30/2002, [EMAIL PROTECTED] wrote:
Hi,
I've been following the discussion on DDoS attacks over the last few weeks
and our network has also recently been the target of a sustained DDoS
attack. I'm not alone in believing that source address filters are the
simplest way to prevent t
ast packets (as with "no ip directed-broadcast").
Just my $0.02,
Richard Morrell
edNET
[1] For example, an IOS config might be:
interface fastethernet 1/0
no ip forged-source-address
[2] Network admins would still have the option of turning it off, but this
would have to be explicitly configured.
58 matches
Mail list logo
