[NCLUG] Egress Filtering

Sean Reifschneider jafo-nclug at tummy.com
Fri Aug 10 01:41:48 MDT 2001


On Tue, Aug 07, 2001 at 04:22:59PM -0600, Michael Dwyer wrote:
>From my side, I cannot tell that Whitehouse.gov didn't actually send the
>echo request to me.  So, my computer plays nice and returns the ping.
>Add this up with thousands of other hosts, and suddenly
>www.whitehouse.gov is weathering a storm of ping replies[2].

That's not all that interesting though, since it's a 1:1 sort of thing.
The source host might as well be sending the mis-addressed packets directly
to whitehouse.gov.  The problem is when a system is sending ping packets to
the broadcast address and causing all the hosts on your network to respond
with pings (a ping multiplier).  Most large sites do disable these...

>The way to fix this is egress filtering.  The main CSU router that
>serves 129.82.0.0 could institute one little filtering rule.  The rule

You have to be *VERY* careful with adding filtering to large routers.  It's
easy enough to say when you're managing a router handling a single 1.5mbps
line.  It doesn't necessarily translate to a router handling multiple
45+mbps connections and doing all sorts of dynamic routing, etc...

High-end routers tend to work by having less powerful CPUs, and rather
smart interface cards.  These cards will often determine where a packet has
to go before the entire packet is even received from the wire, and handing
it off directly to another interface.  This is called the "fast path".
The packet never even makes it to the main router or is handled by the CPU.

The addition of a single filter rule can be enough to move a packet from
the fast path to the slow path (where the CPU has to look it up and compare
it to different filters).

Also consider that you're often not dealing with just "your" IPs, but with
multi-homed or otherwise diverse sets of IPs.  Even just dropping private
addresses is more complex than a single rule adding "10.*", as there are a
number of those unroutable blocks...

Adding the filters to your borders with leaves can often be done -- putting
them on terminal servers.  However, Ascend equipment has historically not
had much in the way of capabilities for doing this, and even with Livingston
who has had capabilities for easily managing this functionality it can get
complex.  Instead of a single rule you can end up having to manage filter
rules across an ever increasing number of boxes.  The leaves is really
where it should happen though...

I'm a fan of filtering out IPs that aren't in your block.  It's not more
widely done, particularly on "main" routers because of performance and
maintenance issues.

>told me that Earthlink won't let him contact our corporate mail server.
>They disallow any port 25 traffic except traffic to their own mail
>servers.  It seems harsh, but I bet Earthlink didn't have HALF the

Not suprising.  I expect to see more of it in the future (DUL makes it less
useful to do that anyway).  Hopefully in conjunction with better spam
protection to prevent their users from sending out junk mail.  Wish @Home
had that, that's for sure.

As far as SirCam though, doesn't it use Outlook to send the mail, as
opposed to making a direct outgoing connection?  In that case, unless the
ISP has filters in place, the mail is going to go out.  Now we get into the
question of why ISPs don't have virus scanning...  When HP implemented
virus scanning of e-mail, it started delaying mail delivery by 12 hours.
Lots of CPU time required for that.  Similar sort of issue...

>consider doing something this extreme, why won't people do egress
>filtering? There aren't any good reasons to allow spoofed packets out of
>your network.[6]

The problem can at times be identifying what is spoofed.  If you are
pass traffic for another AS, you may not know what IP addresses can validly
be coming from your network.

>I cannot think of any reason not to do egress filtering.  I have heard
>it said that access lists slow down Cisco routers too much.  This would
>certainly be a Bad Thing, but would that one high level rule really do
>that much?

As explained above, yes it may.  However, there aren't very many networks
that could do it with just a single rule...  For even a fairly small ISP it
could easily be 5 rules (again, talking about their core router, if you
will).

>really a reason to not do this?  Does your network prohibit spoofed
>packets?

Mine currently?  Nope, not enough router huevos...  I *HAVE* set up ISP
networks in this way (again, mostly rules on the leaves of the networks
because of CPU resource starvation on the "main" routers...

Sean
-- 
 The "PEANUTS" gang finds their first root-kit in "YOU'RE AN 3L33T H4CK3R
 NOW, CHARLIE BROWN".
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python



More information about the NCLUG mailing list