SYN spoofing

Ron_Buchalski · August 3, 1999, 3:33pm

From: Randy Bush <randy@psg.com>
To: Joe Shaw <jshaw@insync.net>
CC: John Fraizer <John.Fraizer@EnterZone.Net>,Dan Hollis <goemon@sasami.anime.net>, bandregg@redhat.com,nanog@merit.edu
Subject: Re: SYN spoofing
Date: Mon, 2 Aug 1999 17:09:55 +0200 (CEST)

> How hard is it really to put a filter on your outbound links that says
> drop all ip traffic heading out these links that isn't from my IP space?

trivial. only one gotcha. if it is a backbone router, it will fall over
dead. beyond that, not a problem.

backbone level traffic can not be packet filtered by current real routers.
but we've had this discussion a few times already.

randy

Which is why it's more scaleable to do packet filtering at the edge, and leave the core to do what it does best...switch packets.

-rb

Bandy_Rush1 · August 3, 1999, 3:45pm

backbone level traffic can not be packet filtered by current real routers.
but we've had this discussion a few times already.

Which is why it's more scaleable to do packet filtering at the edge, and
leave the core to do what it does best...switch packets.

yup, that is the conclusion which was reached every one of the many times
this has been discused over the last years. in the future, there may come
real routers (i.e. routers which can be and are usable by large isps on
large capacity circuits) which have more per-packet processing power at a
low enough level of the implementation (i.e. silicon) to allow backbones to
filter bogons. also note that reverse-route checks don't work in meshes of
any complexity, i.e. backbones.

randy

Daniel_Senie2 · August 3, 1999, 4:52pm

I wonder if any of the cisco experts could comment on an idea for
removing bogons from the core...

Questions:

- do folks use cisco's policy routing capabilities on their
routers? core routers?

- does the use of policy routing significantly affect performance
in the core?

The thought is that using policy routing capabilities of IOS, it appears
possible to separate out traffic matching certain characteristics,
including source addresses. If packets with bogus source addresses can
be so identified, the policy routing could route these to null0.

I don't know how Cisco did their implementation of this feature. It's
certainly possible to construct hardware which does source IP address
matching in hardware looking for bogons, by the same methods used to do
destination address matching (a.k.a. routing table lookups).

Bandy_Rush1 · August 3, 1999, 4:58pm

- do folks use cisco's policy routing capabilities on their
routers? core routers?

cpe, not core. and an oft-unmentioned problem, as aggregation routers take
relatively large aggregations via channelized t3/e3 and bigger interfaces,
and most of those routers are underhorsed (insert rant on 75xx sl^H^Htime-
to-market), doing it on aggregation routers is often not reasonable.

- does the use of policy routing significantly affect performance
in the core?

it would if folk did it. hence they don't.

I don't know how Cisco did their implementation of this feature.

optimism is not warranted.

randy