[NCLUG] Egress Filtering

Michael Dwyer mdwyer at sixthdimension.com
Wed Aug 8 01:26:22 MDT 2001 

> I personally like the idea of egress filtering.  Basically, the router
> just has to do a lookup against it's routing tables, but in a reverse
> manner.

If you are talking only about one static route (like I have in my
office)
computationally, it is an easy test -- its just testing an IP against a 
mask.  Thats almost no processor usage at all, I would think...

> I don't know if the load on the router would increase significantly (it
> may very well cut the performance almost in half, since it has to do twice
> as many route lookups, or it may not... I have no idea the processor
> utilization on a typical router).

I think mine sits around 3% or something.  Again, though, it is a tiny
subnet.

> If it does affect the performance of the router significantly, then it
> might be difficult to get many people to implement it.  (egress filtering
> doesn't protect *your* network, it only protects the rest of the
> Internet..)

Right.  There is very little in the "whats in it for me" column.  But
maybe if you make it similar to the Open Mail Relay problem, people
would bite:  Close this hole, or people will steal your bandwidth 
to attack people with.

> If egress routing was implemented on the majority of routers (and
> certainly all the big ones) this would stop many DDoS attacks.

Well... it would stop Smurfing cold.  Truthfully, it wouldn't do
all that much about other attacks, though.  But it would ensure 
that at least you could track the attacks reliably back to their
hosts. 

> Since this is something that would only be mutually beneficial and not
> individually benificial, perhaps it would be appropriate for the
> government to require that all new routers implement egress routing.
> 
> (Although, I doubt that any new "cyber-terrorism" law that doesn't involve
> locking up people would get passed.  There's just no publicity in it...)

Hrm... do not look to the Feds to protect the Internet.  My
impression of their actions is that they are pretty weak in
that respect.  The General Accounting Office hacks their OWN
machines regularly and shows problems in government systems,
but even in the end all they can do is "suggest" that the
admins repair their systems...  The gov has no teeth on the
internet, yet... for better or for worse. (vis, DefCon 9's
Meet the Feds panel)

More information about the NCLUG mailing list