No subject


Tue Jun 4 12:25:35 MDT 2013


echo request to me.  So, my computer plays nice and returns the ping.
Add this up with thousands of other hosts, and suddenly
www.whitehouse.gov is weathering a storm of ping replies[2].

The way to fix this is egress filtering.  The main CSU router that
serves 129.82.0.0 could institute one little filtering rule.  The rule
goes like this[3]:

   If source address is not in 129.82.0.0/16 then drop it.

   access-list <nnn>

Now, the only packets allowed to leave CSU are those with FROM addresses
of CSU.  Spoofing is now limited to the local subnet.
Holly.colostate.edu can spoof as Lamar.colostate.edu, but
Holly.colostate.edu cannot spoof as www.whitehouse.gov.

Okay, so all that dry stuff behind me, I guess the question is, why
doesn't @Home do this?  Do you know Steve Gibson of the Gibson Research
Corporation?  He's a PR-hound if I ever saw one...  Although he has
moments of sharpness, he mostly seems to do the Geraldo-esque
sensationalism. One of his dull-as-an-egg moments was his denouncing of
Windows XP because of its capability to do raw sockets[4].  His claim is
that the spread of raw-socket-capable machines will make spoofing even
more prevalent, and the internet will cease to exist, and Skynet will
take over, and the U.N. will roll in with their black helico--  er...

He's horribly misled.  Raw sockets aren't the problem. Networks that
allow unreasonable packets to pass unmolested are a problem.  If @Home
instituted egress filtering, spoofing from 24-net would go away, at
least as far as the rest of the Internet is concerned.

Some places are already doing this.  For instance, one of my users just
told me that Earthlink won't let him contact our corporate mail server.
They disallow any port 25 traffic except traffic to their own mail
servers.  It seems harsh, but I bet Earthlink didn't have HALF the
trouble with, say, SirCam[5]  than the rest of the world.  They had one
choke-point -- their own mail server -- and SirCam wasn't allowed to
create its own SMTP connections or connect to foreign ones.

I appreciate the open network.  I would complain bitterly if @Home
started blocking ports.  I think that is extreme. If an ISP will
consider doing something this extreme, why won't people do egress
filtering? There aren't any good reasons to allow spoofed packets out of
your network.[6]

I cannot think of any reason not to do egress filtering.  I have heard
it said that access lists slow down Cisco routers too much.  This would
certainly be a Bad Thing, but would that one high level rule really do
that much?

Anyway, there's my rant for the day...  It is really more suitable for
an Internet  list than a Linux list, but I really hope that some of the
network admins on the list will note this and add comments.  Is there
really a reason to not do this?  Does your network prohibit spoofed
packets?

[0] This is one of the Code Red issues that the GIAC[7] is considering -
ANYBODY can run a server now days, but watching security lists is not a
requirement.  There are a LOT of people out there who don't hear about
problems with their own equipment until they end up on the evening news.
[1] http://www.cert.org/ CERT(r) Coordination Center at CMU
[2] Ping floods are easy enough to filter, but wouldn't you rather they
just didn't happen?
[3] http://www.insecure.org/news/P55-10.txt Building Bastion Routers
Using Cisco IOS
[4] http://grc.com/dos/intro.htm The Microsoft Windows XP Denial of
Service Pages
[5] http://vil.mcafee.com/dispVirus.asp?virus_k=99141 W32/SirCam at MM
[6] Spoofed packets can be used to traceroute from a specific location.
This is more Source Routing, though... that should be turned off, too,
though. :) [3]
[7] http://www.incidents.org/




More information about the NCLUG mailing list