Re: [apnic-talk] NICs and Egress filtering?
Jeff Williams wrote:
>
> Phil and all,
>
> Interesting topic. (See more of my comments below)
>
> Phil Crooker wrote:
>
> > Hi,
> >
> > I look after Internet security for our company and have often wondered
> > ....
> >
> > Considering how important egress filtering of spoofed IP addresses in
> > preventing Distributed Denial Of Service attacks, I was wondering
> > whether APNIC and the other NICs have considered requiring IP address
> > holders to apply egress
> > filters on their boundary routers?
>
> Egress filtering is only one such method of dealing with these problems.
> Requiring only one such method is inconsistant with good IP address
> and router management in some sectors.
>
Yes, but it is such a fundamental measure: if we positively know where
a packet is coming from we can track this stuff down. And from my myopic
viewpoint one of the few measures that can be universally implemented:
we wouldn't need to rely on end users good will or knowledge. It would
eliminate a whole layer of obfustication currently available to hackers
/ vandals.
> I am afraid it would meet with some significant resistance.
Technical and/or "it's too hard"?
> >
> >
> > It seems to me the major NICs are about the only body that have the
> > where-with-all to enforce these filters. Once done, we would not only
> > eliminate DDOS attacks but also make DOS trackable, eliminate spam
> > spoofing and hacker techniques that use spoofing.
>
> Egress is also "Spoofable" as has been already shown.
>
If I have a filter on my boundary router only permitting outbound
packets with a source address of my network, how can this be defeated?
> >
> >
> > I guess the main problem would be how to test for it externally.
> >
> > Anyone care to comment?
>
> Just did. >;)
>
yes, thanks
--
Phil Crooker ORIX Australia 61 8 8443 6844
UNIX SysAdmin pcrooker at orix dot com dot au 61 8 8443 6955 (fax)
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *