Yes, it would be a huge pain, which means (unfortunatly)
we probably won't see it for a while on a large scale.
It's as much of a pain as upgrading the software on
the routers, but that will happen eventually anyway.
If the router vendor made the option simpler (Cisco,
are you listening?) it would get rolled in automatically.
As to where to put the access-lists (or equivalent) I think
the only place I would ever consider trying it would
be on the "leaf" interfaces... where there is a very limited list
of addresses a packet should be coming from..
I also suspect that it's more neccessary on things like
modem pool interfaces... most sites with a leased line
wouldn't want to try an attack that could be traced back to a fixed
point. If one of their users is doing it without the site's net guy's
knowledge, at least there is a chance it can be traced back
to an individual.
But, abosolutely, I'd like to see a "no spoof" option
right there alongside "no proxy" and "no mop" etc..
(With my NAT based firewall....my users can't spoof
without being traced back to my site...)
Ryan
---------- Previous Message ----------
To: firewalls
cc:
From: Doug.Hughes @ Eng.Auburn.EDU (Doug Hughes) @ smtp
Date: 09/12/96 04:48:14 PM
Subject: Re: SYN floods continue (fwd)
After some reformatting it was determined that Ryan wrote:
>>
>>Just thinking out loud here. Wouldn't it be nice if the major
>>router vendors for the Internet (esp Cisco) had an option that you
>>could turn on that would just disregard spoofing from an address
>>that would normally come from another interface. Kind of a modified
>>split horizons.
>> The router knows which interface is the next hop to a certain network
>>address. If it hears a source address of that interface coming from
>>somewhere else, it should drop the packet on the floor (and possibly
>>send a syslog message - another option)
>>
>>interface serial0
>>ip no-source-spoofing
>>ip spoofing-syslog
>>
>>Yes, this will take more CPU processing, possibly more than current
>>backbone routers could handle. But it sure would be a nice option
>>wouldn't it? :)
>> A source address look-aside co-processor...
>>IOS 11.3?
>
>It can be done now with a simple access-list.
>
>Say, you've got a modem pool that has addresses in the
>range 199.199.199.x
>
>access-list 100 permit ip any host 199.199.199.0 0.0.0.255 any
>
>int eth 1/1
>access-group 100 out
>
>(or something like that...if you must correct my syntax, go ahead..)
>
If you want to do it on a onesy-twosy basis, this is fine, but there
are 10s of thousands of routes on the internet. Building access lists
for all of them and binding to an interface would be horrific (as well
as not handling redundant paths).
>I, too, would like to see it more of an automatic/easy
>option. I bet after they track this guy down, the ISP
>adds something like this...
>
> Ryan
I'm thinking of something like this:
A router has (for instance) 3 interfaces, s1, s2, s3.
s2 has a route to network 3. Therefore, if we see a source address of
network 3 coming in on either s1 or s3, it has to be bogus. Now, let's
say there is a backup route (using a lower priority route metric) on
interface s1. Normally, a source address of 3.X.X.X from s1 would be bogus,
but if interface s2 goes down, then it would be okay. One appearing on
interface s3 would still be utterly bogus. So, changes in topology would
require the possibly rebuilding of the 'boggosity-table' which determines
if a source address is valid on a particular interface or not. Yes, as I said,
it would be much more CPU intensive (probably memory too).
Default configuration: routers examine destination address and forward
packet along its way. This new option would require the router to examine
the source AND the destination (+ whatever access lists may require).
The source would be checked for spoofing.
As someone else mentioned, this probably wouldn't work where assymmetric
routing topologies were in place. But, if you the outlying leaf routers
were to use it on their Internet links, and if the major providers were
to use something like this (SURA, MCI, Sprint, AT&T, ANS, etc), then
it would become less and less likely for this type of traffic to propagate.
All you need is one router between any two places with this sort of measure
in place to effectively stop the traffic.
--
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug @
eng .
auburn .
edu
|
|
