APNIC Home APNIC Home
Info & FAQ |  Resource services |  Training |  Meetings |  Membership |  Documents |  Whois & Search |  Internet community

You're here:  Home  Mailing Lists apnic-talk 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [apnic-talk] NICs and Egress filtering?

Ok, OK! I'll crawl back into my hole ;-)  I never said this was
practical, just discussion...



> > > I think the more usual place to apply filters to catch spoofing is
> > > on the ingress to your network, on the customer-facing circuit.
> > > Packet filtering is frequently expensive, which is a good reason
> > > to push it out to the edge.
> > >
> >
> > An egress filter prevents spoofed addresses entering the Internet from
> > that router
> 
> To use egress filters reliably, you would have to place them on every
> customer-, peer- and provider-facing router interface. 

I'm not sure where these three precisely delineate. I was thinking of
the level just above the customer only. If that level is filtered the
higher ones wouldn't require it, would they?


> That's an O(n^2)
> configuration problem, and also requires placing packet filters on fat
> trunks to peers and providers.
> 
> Using ingress filters on customer-facing interfaces is an O(n)
> configuration problem, and avoids the requirement for filtering
> on peer and provider circuits.

An ingress filter has no effect on flooding-type denial of service
attacks -- if the packets can reach the destination they have achieved
their purpose.  Also spoofers can use 'real' IP addresses (but not their
own) and thus circumvent any ingress filter.  I often get packets
spoofed with my network addresses from third party DOS attacks. 
  
> 
> > > > It seems to me the major NICs are about the only body that have the
> > > > where-with-all to enforce these filters.
> > >
> > > How would they enforce them?
> >
> > No filter, no route your network of course!
> 
> (a) APNIC, ARIN and RIPE have no say in how your network gets routed.
> 
Ok, these NICs do determine who uses a particular address, no?  If not
by routing, how do they stop someone from using an address?

> (b) The only person who would know if the filters were not in place
> would be the customer. If they were a good customer, they wouldn't need
> them; if they were an evil customer, they would keep quiet so they
> could exploit the hole.
> 
> Joe


My problem with doing nothing is that enough users just don't do egress
filtering (for that matter they don't do ingress filters or any security
whatsoever) to give hackers / vandals plenty of scope to do as they
will. As ISPs have shown little inclination to protect their clients and
OSes / software remain insecure out of the box, what is left?  This
problem is only going to get worse and it is in *all* our interests to
prevent another huge DDOS attack from happening as did last February.


-- 

Phil Crooker            ORIX Australia       		61 8 8443 6844
UNIX SysAdmin 		pcrooker@orix.com.au		61 8 8443 6955 (fax)

*              APNIC-TALK: General APNIC Discussion List             *
* To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *