This is not a nice thing to do to a router, especially while the router is
trying to keep up with 50 other customers... And if more than 1 customer
wants this type of service, you start really feeling the load.
I'm not saying UUNet should install whatever filters I want on their
routers. I'm just saying the net would be a MUCH nicer place if NSP's all
did ingress filtering on their customer connections. If current routers
can't handle the load this would create, then NSP's need to find vendors
willing to deliver the necessary power, or they need to rethink the way
they design their networks.
Then couldn't the net also be a nicer place if the 'customer' filtered
their outbound packets? Of course this involves trusting the engineer's of
the downstream network to actually DO the filtering.
Why have an NSP drop several customers off of the net because of one
pre-pubescent ping flooder, when the offending customer himself can be
dropped (unless his network is administered by pre-pubescent ping flooders)
and not affect anyone else?
Obviously my previous posts were too simple and people didn't get the
message...some even flamed me.
In the cases where the customer runs the router at their site, this would
be a likely place for filters to be installed. NSP's should require these
customers to either have such filters on their routers, or if appropriate,
on their customer's routers. For really big ISP's, they should require
that their customers customers run with such filters, and so on.
There should be clear rules and policies dealing with this...not just an
unwritten "you really shouldn't do that". The thing that bugs me the most
about FDT's 72 hours of UDP attack is that it almost certainly came from
the admin of some well connected site or from a colo box somewhere.
Unless I'm mistaken, forged UDP requires root access and (at the volume we
received) was likely from a host with T1 or better connection to the net.
This site, or its NSP (if the NSP provides/maintains the customer router)
obviously runs no filters to prevent forged addresses from leaving their
network.
For example Sprint/Centel provides a T1 and Cisco 2501 in FDT's
Tallahassee office (this wasn't my idea). This is a 2501 with an ethernet
connection, only one serial port in use, and nothing else. It has the
ability to run with a filter like:
access-list 101 permit ip 199.44.96.0 0.0.7.255 0.0.0.0 255.255.255.255
without affecting performance in any measurable way, but Sprint/Centel
_refused_ to install even that basic a filter, claiming their policy is
"we don't filter". With attitudes like that in NSP's, it's amazing FDT's
main office went about 2.5 years without a serious DoS IP attack.
Unless I'm mistaken, forged UDP requires root access and (at the volume we
received) was likely from a host with T1 or better
connection to the net.
You just described nearly every PeeCee at nearly every
higher educational institution in North America and
northern Europe, and several parts of Asia, too.
True. Someone else already pointed that out, but mentioned that at their
institution, many of the points on the network where students have access
to PC's are filtered to prevent such abuse.
The typical university campus is likely subnetted and littered with
routers more than capable of filtering for their subnet of campus.
> Unless I'm mistaken, forged UDP requires root access and (at the volume we
> received) was likely from a host with T1 or better
> connection to the net.
You just described nearly every PeeCee at nearly every
higher educational institution in North America and
northern Europe, and several parts of Asia, too.
And it goes beyond that... Every PC running Windows (or any other OS,
for that matter) has complete ability to do anything with IP. So, any
user on a dialup line into any ISP is a possible source of attacks.
This is why I think the RAS servers need to be able to filter right at
the point of the dialup. There, the comparison is a simple compare of a
32 bit integer (IP address assigned to the dialup user, compared to the
IP address of packets received from the user). Any discrepancies should
set off alarm bells...
And it goes beyond that... Every PC running Windows (or any other OS,
for that matter) has complete ability to do anything with IP. So, any
user on a dialup line into any ISP is a possible source of attacks.
Not at 1.5mbps :). Granted I've seen effective synflooding come from a
dialup customer. Can you say luserdel. I think you can.
This is why I think the RAS servers need to be able to filter right at
the point of the dialup. There, the comparison is a simple compare of a
32 bit integer (IP address assigned to the dialup user, compared to the
IP address of packets received from the user). Any discrepancies should
set off alarm bells...
It's mostly that simple, but not entirely. Filters for dialup subnet
customers would likely need to make 2 comparisons.
