RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)

From: Stephen Gill (gillsr_at_yahoo.com)
Date: 11/10/03

  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Ols son)"
    To: "'Mikael Olsson'" <mikael.olsson@clavister.com>
    Date: Mon, 10 Nov 2003 12:28:23 -0600
    
    

    Hi Michael,

    ] Actually, don't you mean egress spoofing protection here?
    ] That's a totally separate issue.

    Not necessarily. Egress filtering in one direction may equal Ingress
    filtering in another. Transit filtering fits into both of these categories,
    which is where Unicast RPF (loose and strict) comes in, though not part of
    your target audience.

    In all cases, I'm advocating filtering as far as possible upstream, even
    including a local firewall's upstream router. So a rough order of
    preference would be:

    - egress anti spoof filtering
    - transit strict uRPF
    - transit loose uRPF
    - upstream ingress bogon filtering
    - firewall ingress bogon filtering

    The further you go downstream, the more likely your pipes will be filled
    with cruft :|. It's not that firewall ingress bogon filtering buys you
    nothing, it's that all the others buy you so much more, that efforts on
    filtering should be concentrated there first because that's where you'll get
    the most bang for your buck.

    ] > So why are we drawing global conclusions from a _single_ site?

    ] Because from what I've seen, that's pretty much what everyone else
    ] is doing in when it comes to bogons :)

    Hopefully they aren't, though I don't have any hard data to prove of
    disprove this. In either case, continuing a bad trend in fact finding
    doesn't make this data any more believable.

    ] This MAN has about five or six thousand public IPs, spread out over
    ] five or six disjoint spans. It's got plenty of people that are likely
    ] to attract DDoS attacks (IRC weenies), and indeed, they do happen.

    Unfortunately it's not the number of IPs that one manages (be it private or
    public), but juiciness of the target. Again, as you stated, there were
    relatively few DOS attacks in your dataset, and only one of them was
    considered large. In my opinion, that would classify the dataset used in
    this study too narrow to have a broad enough perspective on what really
    happens on the Internet as a whole.

    ] It's not the uunet backbone, but, in my opinion, it's representative
    ] enough for my target audience.

    I'd say from the average firewall's perspective, bogon filtering would
    probably be best suited for a router or network connection further upstream
    - see above.

    ] 40-50% is not "significant" for a DDoS in my opinion. Especially
    ] not if you're doing it on the wrong end of your Internet connection.

    Not sure what this was referring to...

    ] Yes, but the technical reasons are not the same.
    ] - 0.* is good to drop because of dumb software that assumes that if
    ] - 127.* is good because lots of dumb software think that packets
    ] - 224.* and up is good because you don't want to end up sending responses

    RFC 3330 is a great reference:

    ftp://ftp.rfc-editor.org/in-notes/rfc3330.txt

    ] > [... snip lots of argumentation related to me not putting
    ] > "inbound" in the title. It's there now.]

    Great!

    Cheers,
    -- steve

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Ols son)"

    Relevant Pages

    • Re: FW: SYN Flooding (fwd)
      ... --> Ingress spoof protection only ... --> egress spoof protection only, not both ingress and egress ... filtering on but not ingress filtering? ...
      (Focus-Linux)
    • Re: MS WORD launches slowly due to IE local security setting
      ... ingress and egress refer to the act of entry and act of exit respectively. ... Sometimes this also includes the inbound ... Respectively egress filtering. ...
      (alt.computer.security)
    • Re: The unnc urcm survey
      ... They've been intercepted by the upstream ... filtering as they've got an invalid To: ... Blog: http://mark.goodge.co.uk ...
      (uk.net.news.config)