Re: [apnic-talk] NICs and Egress filtering?

To: Jeff Williams <jwkckid1@ix.netcom.com>
Subject: Re: [apnic-talk] NICs and Egress filtering?
From: Phil Crooker <pcrooker@orix.com.au>
Date: Mon, 08 Jan 2001 13:53:35 +1030
Cc: apnic-talk@lists.apnic.net
References: <3A590B78.269A31E7@orix.com.au> <3A593607.83907AC1@ix.netcom.com>
Sender: owner-apnic-talk@lists.apnic.net

Jeff Williams wrote:
> 
> Phil and all,
> 
>   Interesting topic.  (See more of my comments below)
> 
> Phil Crooker wrote:
> 
> > Hi,
> >
> > I look after Internet security for our company and have often wondered
> > ....
> >
> > Considering how important egress filtering of spoofed IP addresses in
> > preventing Distributed Denial Of Service attacks, I was wondering
> > whether APNIC and the other NICs have considered requiring IP address
> > holders to apply egress
> > filters on their boundary routers?
> 
>   Egress filtering is only one such method of dealing with these problems.
> Requiring only one such method is inconsistant with good IP address
> and router management in some sectors.
> 

Yes, but it is such a fundamental measure:  if we positively know where
a packet is coming from we can track this stuff down. And from my myopic
viewpoint one of the few measures that can be universally implemented:
we wouldn't need to rely on end users good will or knowledge.  It would
eliminate a whole layer of obfustication currently available to hackers
/ vandals.

>  I am afraid it would meet with some significant resistance.

Technical and/or "it's too hard"?

> >
> >
> > It seems to me the major NICs are about the only body that have the
> > where-with-all to enforce these filters.  Once done, we would not only
> > eliminate DDOS attacks but also make DOS trackable, eliminate spam
> > spoofing and hacker techniques that use spoofing.
> 
>   Egress is also "Spoofable" as has been already shown.
> 

If I have a filter on my boundary router only permitting outbound
packets with a source address of my network, how can this be defeated?

> >
> >
> > I guess the main problem would be how to test for it externally.
> >
> > Anyone care to comment?
> 
>   Just did.  >;)
> 

yes, thanks

-- 

Phil Crooker            ORIX Australia       		61 8 8443 6844
UNIX SysAdmin 		pcrooker@orix.com.au		61 8 8443 6955 (fax)

*              APNIC-TALK: General APNIC Discussion List             *
* To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *

Follow-Ups:
- Re: [apnic-talk] NICs and Egress filtering?
  - From: Joe Abley <jabley@automagic.org>
- Re: [apnic-talk] NICs and Egress filtering?
  - From: Jeff Williams <jwkckid1@ix.netcom.com>

References:
- [apnic-talk] NICs and Egress filtering?
  - From: Phil Crooker <pcrooker@orix.com.au>
- Re: [apnic-talk] NICs and Egress filtering?
  - From: Jeff Williams <jwkckid1@ix.netcom.com>

Prev by Date: Re: [apnic-talk] NICs and Egress filtering?
Next by Date: Re: [apnic-talk] NICs and Egress filtering?
Previous by thread: Re: [apnic-talk] NICs and Egress filtering?
Next by thread: Re: [apnic-talk] NICs and Egress filtering?
Index(es):
- Date
- Thread