Re: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 11/09/03

  • Next message: Josh Welch: "RE: [fw-wiz] Pix 501 configuration question"
    To: Stephen Gill <gillsr@yahoo.com>
    Date: Sun, 09 Nov 2003 19:07:10 +0100
    
    

    Stephen Gill wrote:
    >
    > I'd like to point out a few issues with your report as I tend to
    > disagree with it :).

    Argumentation good. Shoot.

    > ] Why Blocking Bogons Buys You Nothing
    >
    > This title is misleading. [...]
    > I think you mean to say: "Why Blocking Inbound Bogons Buys You Very Little
    > on Firewalls"
    >

    Indeed. I added the "Inbound" clause to the title of
    http://www.clueby4.org/pubs/blocking-bogons.txt

    > Blocking Bogons buys you a LOT, you just don't
    > get to see the benefits because others are doing it for you.

    Actually, don't you mean egress spoofing protection here?
    That's a totally separate issue.

    > So why are we drawing global conclusions from a _single_ site?

    Because from what I've seen, that's pretty much what everyone else
    is doing in when it comes to bogons :)

    This MAN has about five or six thousand public IPs, spread out over
    five or six disjoint spans. It's got plenty of people that are likely
    to attract DDoS attacks (IRC weenies), and indeed, they do happen.

    It's not the uunet backbone, but, in my opinion, it's representative
    enough for my target audience.

    > Many DDOS attacks I see still use random spoofed sources. Most DDOS
    > attack data points to bogon filtering having a _significant_ impact
    > on reducing the overall load reached on the target network.

    40-50% is not "significant" for a DDoS in my opinion. Especially
    not if you're doing it on the wrong end of your Internet connection.

    > ] Blocking the 0/8 network, 127/8 network and 224/3 networks is another
    > ] thing altogheter; there are firm technical and security reasons for
    > ] doing that.
    >
    > There are other networks that will never be part of the global Internet
    > routing table, such as but not limited to RFC 1918 space.

    Yes, but the technical reasons are not the same.

    - 0.* is good to drop because of dumb software that assumes that if
      the first byte of the IP address is 0, it's uninitialized or
      otherwise has a special meaning

    - 127.* is good because lots of dumb software think that packets
      sourced from 127.* couldn't have come across the network

    - 224.* and up is good because you don't want to end up sending responses
      to multicast addresses that end up getting forwarded to thousands
      of hosts/routers

    > [... snip lots of argumentation related to me not putting
    > "inbound" in the title. It's there now.]

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Josh Welch: "RE: [fw-wiz] Pix 501 configuration question"

    Relevant Pages

    • Re: [Full-disclosure] Re: Its not that simple...
      ... Workarounds for Plug and Play Vulnerability - CAN-2005-1983: ... the Internet Connection Firewall feature in Windows XP ... To enable the Internet Connection Firewall feature by using the Network ...
      (Full-Disclosure)
    • Re: [Full-disclosure] Re: Its not that simple...
      ... > will not correct the underlying vulnerability, ... the Internet Connection Firewall feature in Windows XP Service ... > To enable the Internet Connection Firewall feature by using the Network ...
      (Full-Disclosure)
    • Re: ICS not among my services. What to do?
      ... Hi Wes, ... Wizard is about as useful for my setting up the most trivial network as is ... Windows Firewall on and off, ... > This service is renamed to Windows Firewall and Internet Connection ...
      (microsoft.public.windowsxp.basics)
    • RE: Netstumbling
      ... Accessing their internet connection accidentally and browsing the web ... I would say scan away because the wireless network you are seeing falls ... > Manage the entire remediation process with StillSecure VAM's ... > Vulnerability Repair Workflow. ...
      (Pen-Test)
    • Re: Still Awaiting Assistance
      ... Disconnect the network infrastructure ... Restart this machine and check the internet connection is now running - ... Now run the internet connection wizard to join this second machine to ... The above can also be setup in the reverse using the Network Setup Wizard ...
      (microsoft.public.windowsxp.help_and_support)