RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)
From: Stephen Gill (gillsr_at_yahoo.com)
To: "'Mikael Olsson'" <firstname.lastname@example.org> Date: Mon, 10 Nov 2003 12:28:23 -0600
] Actually, don't you mean egress spoofing protection here?
] That's a totally separate issue.
Not necessarily. Egress filtering in one direction may equal Ingress
filtering in another. Transit filtering fits into both of these categories,
which is where Unicast RPF (loose and strict) comes in, though not part of
your target audience.
In all cases, I'm advocating filtering as far as possible upstream, even
including a local firewall's upstream router. So a rough order of
preference would be:
- egress anti spoof filtering
- transit strict uRPF
- transit loose uRPF
- upstream ingress bogon filtering
- firewall ingress bogon filtering
The further you go downstream, the more likely your pipes will be filled
with cruft :|. It's not that firewall ingress bogon filtering buys you
nothing, it's that all the others buy you so much more, that efforts on
filtering should be concentrated there first because that's where you'll get
the most bang for your buck.
] > So why are we drawing global conclusions from a _single_ site?
] Because from what I've seen, that's pretty much what everyone else
] is doing in when it comes to bogons :)
Hopefully they aren't, though I don't have any hard data to prove of
disprove this. In either case, continuing a bad trend in fact finding
doesn't make this data any more believable.
] This MAN has about five or six thousand public IPs, spread out over
] five or six disjoint spans. It's got plenty of people that are likely
] to attract DDoS attacks (IRC weenies), and indeed, they do happen.
Unfortunately it's not the number of IPs that one manages (be it private or
public), but juiciness of the target. Again, as you stated, there were
relatively few DOS attacks in your dataset, and only one of them was
considered large. In my opinion, that would classify the dataset used in
this study too narrow to have a broad enough perspective on what really
happens on the Internet as a whole.
] It's not the uunet backbone, but, in my opinion, it's representative
] enough for my target audience.
I'd say from the average firewall's perspective, bogon filtering would
probably be best suited for a router or network connection further upstream
- see above.
] 40-50% is not "significant" for a DDoS in my opinion. Especially
] not if you're doing it on the wrong end of your Internet connection.
Not sure what this was referring to...
] Yes, but the technical reasons are not the same.
] - 0.* is good to drop because of dumb software that assumes that if
] - 127.* is good because lots of dumb software think that packets
] - 224.* and up is good because you don't want to end up sending responses
RFC 3330 is a great reference:
] > [... snip lots of argumentation related to me not putting
] > "inbound" in the title. It's there now.]
firewall-wizards mailing list