On Sun, Jun 10, 2001, at 09:59:16 -0400, Paul D. Robertson wrote:
> Once again, I'm stressing that end-user network filtering be the
> major point of egress filtering, not ISP networks.
[ ObDisclaimer: i work for a company offering a DDoS product. ]
simple egress filters at the edge, unicast reverse path forwarding
closer to the core, distributed packet filtering with an even wider
purview of AS connectivity - none of these things actually mean squat
to an attacker with thousands of hosts worldwide at their disposal!
with recent advances in worm-automated zombie conscription, pulsing
attacks which aim to confound real-time traceback (e.g. manual
inspection of CEF tables, ACL hits, Netflow cache, etc.) and
subnet-based spoofing (e.g. recent DDoS tools such as Stacheldraht try
to automatically determine the presence of egress filters), it's clear
that even universal egress filtering wouldn't buy us very much.
see Rob Malan's recent NANOG presentation for further information on
these disturbing trends:
http://www.nanog.org/mtg-0105/malan.html
> ISPs can do fairly easy filtering based on prefixes they transit or
> announce, but I agree with the contention that the aggragation of
> traffic is too much at those points to not affect performance by
> filtering in the transit space.
the closer you get to the edge of the attacker's network(s), the
better chance you have of filtering only the attack traffic, and
minimizing any collateral damage. so for remediation, it's not only
easier in terms of performance, but also more accurate.
-d.
---
http://www.monkey.org/~dugsong/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
