Tracking stealth portscan/pepsi attacks
Gert Doering, Netmaster netmaster at space.net
Thu Sep 2 11:51:15 CEST 1999
Hi,
On Thu, Sep 02, 1999 at 11:46:02AM +0100, Leigh Porter wrote:
> > > As a side note, does anybody use anything to prevent address spoofing in their
> > > network? That would at prevent a lot of attacks completly and make tracing the
> > > rest much easier.
> >
> > Sure we do.
> >
> > On our ingress interfaces to our customers, we have very strict access
> > lists ("permit ip <customer net> any / deny ip any any log").
>
> How do you manage large BGP customers with lots of networks?
Hmmm, I have to admit that I don't - we're not THAT large yet, so our
BGP customers are usually pretty small and only have two or three
network blocks, so filtering is feasible.
(As I filter their BGP announcements anyway, adding the networks to the
incress access-list isn't much more effort).
> I would also be interested to know performance hits on the routers
> for this.
The access lists per interface are usually no longer than up to 10 lines,
and the routers seem to manage fine.
> I do recall soemthing Cisco implemented that checked you have a route back to
> any source address that comes in on a suitably configured interface else it'll
> drop the packet as being spoofed, this soulds good - anybody tried it?
This is in IOS 12.0, and you need to have CEF enabled to use it. As our
production routers don't use IOS 12 yet, I haven't tried it. It would
certainly be very nice.
Gert Doering
-- NetMaster
--
SpaceNet GmbH Mail: netmaster at Space.Net
Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0
80807 Muenchen Fax : +49-89-32356-299
[ lir-wg Archives ]