I do not know how many of you also subscribe to NANOG, but they covered this topic in detail a few months ago. The problem is there is not a router capable of filtering at line speed above OC3 speeds, is what alot of admins were saying. So you have to do this where you can. I personally do it on the firewalls before it ever gets to my Edge router as we have a couple of OC3's and it can have a real effect on the router to have an access list on a link pushing 100+ Mbs.
As for specifics on what Im doing. For instance I block UDP inbound/outbound to port 80. and send a port unreachable if someone tries this. However it would be a simple thing for someone off my network to abuse this so you have to make sure you put a limit on the number of packets you send for the outbound packets. Or someone could use your firewall to hit someone else with a ton of ICMP packets all it would take is a spoofed UDP flood. : ) Since we are a large ISP/Webhosting company I try to do every thing I can to be a good net citizen. Thanks On Monday 25 March 2002 07:46 pm, Ramin Alidousti wrote: > On Mon, Mar 25, 2002 at 05:30:46PM -0800, Rob Finneran wrote: > > Good topic. > > > > I've read a CERT that states that ISP should practice being good net > > citizen by not allowing packets with spoofed IP addresses to leave there > > networks. > > It's easier said than done. First of all, it should be done on the edge, > otherwise a transit network cannot distinguish between a spoofed or a > valid transit packet; secondly just imagine what the impact would be to > filter on oc12 or 48 or even 192 interfaces... Another point is that not > all spoofed packets are from different ISP's or even segments of an ISP, so > there is still possibility for a spoofer to spoof... > > But in general, I agree, spoofed packets should get identified and dropped > as early as possible, ideally on the very first hop. > > Ramin > > > Maybe I'm a little naive, but if everyone did this, wouldn't this prevent > > the majority of hack attacks? > > > > Rob > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel F. Chief > > Security Engineer - > > Sent: Monday, March 25, 2002 2:31 PM > > To: Netfilter - Mail list > > Subject: Being a good netezen, with iptables. > > > > > > This may be more philosophical than technical. > > > > I have several gateway firewalls using iptables : ) > > > > Big ones each one can see at peak around 100+ Mbs. I have many rules for > > ports that are filtered to REJECT with am ICMP port or host unreachable. > > From > > time to time I get e-mails from other _admins_ saying "Your IP > > xxx.xxx.xxx.xxx is attacking us" some of them include packet logs > > showing the ICMP packets coming from my firewall. So basically I tell > > them to check out their own system as I know my firewalls are secure(of > > course i check them > > out every time because Im paranoid). Telling them that it is possible > > that some one spoofed their IP while sending me packets. But it could be > > port scanners who may own the other guys box or have an account there > > which allows > > them to portscan. > > > > By using the REJECTS to me seems it would possibly draw attention to > > these systems that are doing such naughty things when a netadmin > > hopefully sees the > > potentially hundreds of ICMP port unreachable coming in to his network > > headed > > for one machine. I know I have filters setup to see this kind of stuff > > and alert me to the possibility of a compromised machine. > > > > Im not trying to start a _Holy_war_ between DROP and REJECT fans, Just > > wondering what the consenses is here. What should a good netezen do these > > days. > > > > TIA > > > > > > -- > > Chief Security Engineer | Daniel Fairchild [EMAIL PROTECTED] > > Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. -- Chief Security Engineer | Daniel Fairchild [EMAIL PROTECTED] Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
