Re: [apnic-talk] NICs and Egress filtering?
Ok, OK! I'll crawl back into my hole ;-) I never said this was
practical, just discussion...
> > > I think the more usual place to apply filters to catch spoofing is
> > > on the ingress to your network, on the customer-facing circuit.
> > > Packet filtering is frequently expensive, which is a good reason
> > > to push it out to the edge.
> > >
> >
> > An egress filter prevents spoofed addresses entering the Internet from
> > that router
>
> To use egress filters reliably, you would have to place them on every
> customer-, peer- and provider-facing router interface.
I'm not sure where these three precisely delineate. I was thinking of
the level just above the customer only. If that level is filtered the
higher ones wouldn't require it, would they?
> That's an O(n^2)
> configuration problem, and also requires placing packet filters on fat
> trunks to peers and providers.
>
> Using ingress filters on customer-facing interfaces is an O(n)
> configuration problem, and avoids the requirement for filtering
> on peer and provider circuits.
An ingress filter has no effect on flooding-type denial of service
attacks -- if the packets can reach the destination they have achieved
their purpose. Also spoofers can use 'real' IP addresses (but not their
own) and thus circumvent any ingress filter. I often get packets
spoofed with my network addresses from third party DOS attacks.
>
> > > > It seems to me the major NICs are about the only body that have the
> > > > where-with-all to enforce these filters.
> > >
> > > How would they enforce them?
> >
> > No filter, no route your network of course!
>
> (a) APNIC, ARIN and RIPE have no say in how your network gets routed.
>
Ok, these NICs do determine who uses a particular address, no? If not
by routing, how do they stop someone from using an address?
> (b) The only person who would know if the filters were not in place
> would be the customer. If they were a good customer, they wouldn't need
> them; if they were an evil customer, they would keep quiet so they
> could exploit the hole.
>
> Joe
My problem with doing nothing is that enough users just don't do egress
filtering (for that matter they don't do ingress filters or any security
whatsoever) to give hackers / vandals plenty of scope to do as they
will. As ISPs have shown little inclination to protect their clients and
OSes / software remain insecure out of the box, what is left? This
problem is only going to get worse and it is in *all* our interests to
prevent another huge DDOS attack from happening as did last February.
--
Phil Crooker ORIX Australia 61 8 8443 6844
UNIX SysAdmin pcrooker at orix dot com dot au 61 8 8443 6955 (fax)
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *