Tracking stealth portscan/pepsi attacks
Gert Doering, Netmaster netmaster at space.net
Thu Sep 2 11:51:15 CEST 1999
Hi, On Thu, Sep 02, 1999 at 11:46:02AM +0100, Leigh Porter wrote: > > > As a side note, does anybody use anything to prevent address spoofing in their > > > network? That would at prevent a lot of attacks completly and make tracing the > > > rest much easier. > > > > Sure we do. > > > > On our ingress interfaces to our customers, we have very strict access > > lists ("permit ip <customer net> any / deny ip any any log"). > > How do you manage large BGP customers with lots of networks? Hmmm, I have to admit that I don't - we're not THAT large yet, so our BGP customers are usually pretty small and only have two or three network blocks, so filtering is feasible. (As I filter their BGP announcements anyway, adding the networks to the incress access-list isn't much more effort). > I would also be interested to know performance hits on the routers > for this. The access lists per interface are usually no longer than up to 10 lines, and the routers seem to manage fine. > I do recall soemthing Cisco implemented that checked you have a route back to > any source address that comes in on a suitably configured interface else it'll > drop the packet as being spoofed, this soulds good - anybody tried it? This is in IOS 12.0, and you need to have CEF enabled to use it. As our production routers don't use IOS 12 yet, I haven't tried it. It would certainly be very nice. Gert Doering -- NetMaster -- SpaceNet GmbH Mail: netmaster at Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
[ lir-wg Archives ]