Re: [apnic-talk] NICs and Egress filtering?
Phil and all,
Phil Crooker wrote:
> Jeff Williams wrote:
> >
> > Phil and all,
> >
> > Interesting topic. (See more of my comments below)
> >
> > Phil Crooker wrote:
> >
> > > Hi,
> > >
> > > I look after Internet security for our company and have often wondered
> > > ....
> > >
> > > Considering how important egress filtering of spoofed IP addresses in
> > > preventing Distributed Denial Of Service attacks, I was wondering
> > > whether APNIC and the other NICs have considered requiring IP address
> > > holders to apply egress
> > > filters on their boundary routers?
> >
> > Egress filtering is only one such method of dealing with these problems.
> > Requiring only one such method is inconsistant with good IP address
> > and router management in some sectors.
> >
>
> Yes, but it is such a fundamental measure: if we positively know where
> a packet is coming from we can track this stuff down. And from my myopic
> viewpoint one of the few measures that can be universally implemented:
> we wouldn't need to rely on end users good will or knowledge. It would
> eliminate a whole layer of obfustication currently available to hackers
> / vandals.
Yes if you know where the packet really came from. Often you don't
with a skilled cracker. IP address swapping can circumvent this if you
catch my drift here?
>
>
> > I am afraid it would meet with some significant resistance.
>
> Technical and/or "it's too hard"?
Both really. But the latter would be hidden by the former in some if not
many instances...
>
>
> > >
> > >
> > > It seems to me the major NICs are about the only body that have the
> > > where-with-all to enforce these filters. Once done, we would not only
> > > eliminate DDOS attacks but also make DOS trackable, eliminate spam
> > > spoofing and hacker techniques that use spoofing.
> >
> > Egress is also "Spoofable" as has been already shown.
> >
>
> If I have a filter on my boundary router only permitting outbound
> packets with a source address of my network, how can this be defeated?
That is an extreme method of implementation. If you only allow outbound
packets that only reside on your network you in effect circumvent what the
internet is supposed to provide to a very great extent. That is already being
politically opposed, as I hope you already know, Phil...
>
>
> > >
> > >
> > > I guess the main problem would be how to test for it externally.
> > >
> > > Anyone care to comment?
> >
> > Just did. >;)
> >
>
> yes, thanks
>
> --
>
> Phil Crooker ORIX Australia 61 8 8443 6844
> UNIX SysAdmin pcrooker at orix dot com dot au 61 8 8443 6955 (fax)
Regards,
--
Jeffrey A. Williams
Spokesman INEGroup (Over 112k members strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1 at ix dot netcom dot com
Contact Number: 972-447-1800 x1894 or 9236 fwd's to home ph#
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *