Re: [swinog] [Fwd: [Full-disclosure] DNS Smurf revisited]
On Tue, May 31, 2005 at 10:49:00AM +0200, Beat Rubischon wrote: Hello! Am 30.05.05 schrieb Philippe Strauss: sunrise freesurf used to allow this also, didn't try for some time. (it even let source address be in the private address space) amazing to still see this in 2005! Each filter takes some CPU cycles. And CPU-Power is still really expensive on a Cisco device. A word stolen from the IBM world: You will never have performance problems. You may habe financial problems, but you will never have performance problems. a simple search on google, I find a paper about a routing table lookup algorithm, on standard CPU, able to do 30Millions lookup per second (on a 500MHz cpu). with current CPU frequency, it would rather be 120Millions/s on such commodity pc the bottleneck is the bus architecture, though. 2Gbit/s of traffic translate to roughly 40 packets per second that leaves a lot of spare cpu time. -- Philippe Strauss av. de Beaulieu 25 1004 Lausanne http://philou.ch/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] [Fwd: [Full-disclosure] DNS Smurf revisited]
On Fri, May 27, 2005 at 09:31:32PM +0200, Simon Leinen wrote: I can spoof packets from my home broadband connection (and probably the 299'999 other broadband customers of that Swiss ISP can do so as well :-). Hopefully other Swiss ISPs do this better. sunrise freesurf used to allow this also, didn't try for some time. (it even let source address be in the private address space) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] [Fwd: [Full-disclosure] DNS Smurf revisited]
On Mon, May 30, 2005 at 09:55:39AM +0200, Marc SCHAEFER wrote: On Fri, May 27, 2005 at 09:31:32PM +0200, Simon Leinen wrote: I can spoof packets from my home broadband connection (and probably the 299'999 other broadband customers of that Swiss ISP can do so as well :-). Hopefully other Swiss ISPs do this better. sunrise freesurf used to allow this also, didn't try for some time. (it even let source address be in the private address space) amazing to still see this in 2005! is there valuable argument from these ISP or is it ignorance / badly designed networks?? on the leaf interfaces of the ISP routing topology: (cisco) ip verify unicast reverse-path (linux) echo 1 /proc/sys/net/ipv4/conf/ethN/rp_filter there is still this good paper from cisco, it's a bit dated but probably mean no real valuable features was added in IOS since 2001: http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip bye. -- Philippe Strauss av. de Beaulieu 25 1004 Lausanne ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] [Fwd: [Full-disclosure] DNS Smurf revisited]
On Mon, May 30, 2005 at 05:59:35PM +0200, Jean-Pierre Schwickerath wrote: is there valuable argument from these ISP or is it ignorance / badly designed networks?? Once someone told me they couldn't do it because it would add too much delay to the packet and that their hardware would would have to throttle the throughput if they wanted to do that on gigabit links. performances problems on an operation which is basically a routing lookup 4 bytes aside the usual place? funky. But then someone has to explain me how other people manage to do full NIDS inspection on gigabit links. absolutely. -- Philippe Strauss av. de Beaulieu 25 1004 Lausanne http://philou.ch/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] [Fwd: [Full-disclosure] DNS Smurf revisited]
Fabian Wenk writes: This Mail [1] arrived just over the Full-Disclosure mailinglist [2], but should probably also be of interest to some people here. [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/034342.html [2] https://lists.grok.org.uk/mailman/listinfo/full-disclosure Yes, at least it should remind our community that ingress filtering is important. When I tried the spoofer test software from http://momo.lcs.mit.edu/spoofer/#software , I was shocked to see that I can spoof packets from my home broadband connection (and probably the 299'999 other broadband customers of that Swiss ISP can do so as well :-). Hopefully other Swiss ISPs do this better. I hate to say something in defense of NATs, but at least the problem is somewhat mitigated by the fact that many surfers (especially those with broadband connections) use NATs. They make address spoofing from compromised PCs ineffective. As for enterprise connections, I'm not sure. I assume most small enterprises use NATs as well. Large enterprises use firewalls, but if something behind the firewall does get infected, I'm not sure those firewalls would protect the outside world against spoofed packets (or any other kind of junk) from those machines. -- Simon. PS. SWITCH has ingress filters on all customer access interfaces, so compromised systems inside universities cannot used spoofed source addresses from outside the respective site's address space. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
