In message <[EMAIL PROTECTED]> Iljitsch van Beijnum writes: > > Now if this proposed wg can find a way for me to recognized spoofed > packets when they enter my networks without cooperation from the > source and intermediate networks, I'm all ears.
Create a filter at each ingress to your network taking unassigned (and optionally also unreachable) address space. The minimal data collection is incrementing a counter. You may also want to blackhole the traffic with invalid source address but you don't need to do that to do the data collection. Just counting the filter hits may be all you want to do. If you see a spike in that traffic, notify the peer. If they do the same, it leads back toward the source of spoofed attacks. I think UUNET had a white paper on this and there may have been something similar (more than once) at NANOG. Note that if there is one destination (host or prefix) and many sources it is an attack on a specific target. You may discover this in your data collection (if it is more than reading an SNMP counter). If you divert traffic to a pizza box (could be remote) then you can record destinations being attacked. You may (or may not) want to blackhole traffic to that target from that ingress depending on whether the traffic volume is high enough. If the target is your customer, then call them and have them make the call on this. The data collection should trigger a trouble ticket and this notification should be NOC procedure. Both ANS and UUNET had something along these lines though ANS used the ARTS data collection (don't ask me what the acronym stood for, if forgot). Customer appreciated getting the call where the ISP had noticed the problem, isolated the source, notified the peer, and was asking the customer about further action. If their link was flooded or the DoS was causing trouble they often requested blackholing from the source. Legitimate traffic from the peer ISP was then lost until the peer traced the problem further back. Good NOC to NOC communication helped and bothering the other NOC about it every so often helped. ANS bothered them every 15 minutes until they traced to a peer and put a similar filter there (lessenning the impact on legitimate traffic), then bothered that upstream, ... etc. This sometimes went on for a day or two with the need to escallate the problem at less responsive providers. This attack (TCP SYN with forged source) was popular for a while but when BSD and Linux were hardenned against it (with most major web servers running on these OS) and appache hardenned, it became far less effective and is not so common. DoS attacks on DNS servers was another fad. Both still occur but afaik are less common now. This is the simplest. The ANS ARTS collection could recognize a change in the net to net traffic and new source addresses stuck out even if the attacker used a range of reachable addresses. If they used their own addresses (unused host addressses or otherwise blackholing the SYN-ACK, or some other type of attack) then that could be detected (lots of traffic to that dest with a specific source range). ARTS software was put in the public domain and ARTS collection may be feasible on some routers but I don't think anyone at all does it anymore. UUNET did something in between, only collecting statistics on traffic with known bogus source addresses. Curtis _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
