|
Re: Internet SYN Flooding, spoofing attacks
2000-02-11 19:20:02
Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Fri, 11 Feb 2000 16:35:18 EST, Paul Ferguson said:
Do you think that if RFC2267 was advanced as a BCP that
it would carry more weight, and therefore more ISP's would
implement RFC2267-style filtering? Coupled with the latest
denial of service attacks?
On the one hand, I think it would make a good candidate for BCP. It seems
to be similar in tone with RFCs 2502 and 2644. I'd have to re-read it to
see if it would need any textual changes, or if it's OK as it is.
I was talking to a co-worker on this topic, and his exact quote was
"We have our s--t more together than most sites, despite our best
efforts". The problem is that he was right - our site may have clue,
but there's a lot of uneducated sites out there.
Does anybody have statistics on how effective RFC2350 (Expectations
for Computer Security Incident Response) was? Or RFC2502 (Anti-Spam
Recommendations for SMTP MTAs)? Or RFC2644 ( Changing the Default for
Directed Broadcasts in Routers)? It would seem reasonable that moving
2267 to BCP should have a similar effectiveness...
Ever since Paul and I wrote 2267, I've heard from ISPs and equipment
vendors, letting me know they'd implemented our recommendations. Lots of
folks are doing it because they understand they should do their part.
As for 2644, that one has only been out there a short time. It's not
clear how many people have noticed it yet. This document has two target
audiences, vendors and ISPs/users.
Some vendors made the change even before I wrote the document. Router
Requirements (1812) have mandated devices have an on/off switch for this
feature for a long time. I would hope that all manufacturers at least
provided the config option. I hope the vendors who haven't changed their
defaults will get to this soon.
Many clueful network operators also took the time to ensure their
networks were clean. The problem with directed broadcasts is that EVERY
routing device really has to be checked, since with CIDR you really
don't know what comprises a broadcast. Network operators, especially,
need to spend the time to check the configurations on their equipment.
Awareness of this issue needs to be raised. As with ingress filtering,
everyone needs to do their part. Unfortunately, it may be threats of
negligence lawsuits that ultimately motivates some to take heed.
--
-----------------------------------------------------------------
Daniel Senie dts(_at_)senie(_dot_)com
Amaranth Networks Inc. http://www.amaranthnetworks.com
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Internet SYN Flooding, spoofing attacks, (continued)
Re: Internet SYN Flooding, spoofing attacks, Valdis . Kletnieks
- Re: Internet SYN Flooding, spoofing attacks, Paul Ferguson
- Re: Internet SYN Flooding, spoofing attacks, Donald E. Eastlake 3rd
- Re: Internet SYN Flooding, spoofing attacks, Robert Elz
- Re: Internet SYN Flooding, spoofing attacks, Charles E. Perkins
- Re: Internet SYN Flooding, spoofing attacks, Paul Ferguson
- Re: Internet SYN Flooding, spoofing attacks, Daniel Senie
Re: Internet SYN Flooding, spoofing attacks, Perry E. Metzger
Re: Internet SYN Flooding, spoofing attacks, John Stracke
|
|
|