Yep its all a bit weird, I guess people are not too knowledgeable about
it. For starters the original explit wont work very well out of the box
for most script kiddies (random source addresses -> killed by
anti-spoofing),
and a single packet to a vulnerable box isnt enough (need to fill the
queue slots).
More of an annoyance really - most of the outages as a result are going
to
be from people upgrading boxes, not victims of attack.
BB
B.Buxton@Planettechnologies.nl ("Ben Buxton") writes:
For starters the original explit wont work very well out of the box for
most script kiddies (random source addresses -> killed by anti-spoofing)
Please put a ":-)" in when you're being humourous. That one was subtle
enough that I just about laughed coffee out my nose.
For the record, script kiddies (and others) encounter no significant
blockage when using random source addresses. I'd estimate than less
than a tenth of a percent (that's 0.1%) of edge paths use RPF, even
though BCP38 states the case clearly and the technology makes it easy
and there are plenty of recipes and examples available.
For a truly stunning example, consider that one of the low-end members
of the f-root cluster has gone 60 days since its counters were last
cleared, yet...
#sfo2b.f:i386# ipfw show
...
00400 39787994 2630377143 deny ip from 10.0.0.0/8 to any in
00500 38090617 2460350048 deny ip from 172.16.0.0/12 to any in
00600 24926636 1658950280 deny ip from 192.168.0.0/16 to any in
...
...it has received almost 7GBytes of rfc1918-sourced traffic in that time.
I don't mean by that example to support my 0.1% assertion, but rather to
show that far from filtering not-theirs on ingress, the vast majority of
providers can't even filter not-anybodys on egress -- an easier problem!
Don't underestimate script kiddies. If you leave a door wide open, they
WILL walk through.
Paul Vixie wrote:
I'd estimate than less
than a tenth of a percent (that's 0.1%) of edge paths use RPF, even
though BCP38 states the case clearly and the technology makes it easy
"Makes it easy" if you live in an Internet with a number of routes significantly less than the limit imposed for having stable RPF enabled
] Please put a ":-)" in when you're being humourous. That one was subtle
] enough that I just about laughed coffee out my nose.
Coffee abuse! Coffee abuse! 
Well said, re: RFC1918 and
filtering. For those of you looking to automate some of your
filtering, please visit the Bogon Route-Server Project page:
<http://www.cymru.com/BGP/bogon-rs.html>
It isn't perfect, but it does help. Suggestions and feedback
are always welcome!
] Don't underestimate script kiddies. If you leave a door wide open, they
] WILL walk through.
Indeed. It's amazing how folks continue to dismiss the
script kiddies while I've seen those same script kiddies
"own" over 500K devices since 01 JAN 2003. What a bunch of
lamers, they should have owned 1M devices by now, eh? 