Tracking stealth portscan/pepsi attacks
Lars Marowsky-Bree lmb at teuto.net
Fri Sep 3 14:18:58 CEST 1999
On 1999-09-02T11:44:12, "Gert Doering, Netmaster" <netmaster at space.net> said: > On our ingress interfaces to our customers, we have very strict access > lists ("permit ip <customer net> any / deny ip any any log"). Same here. A very good idea anyway, not just because of security, but because of customers who think "lets just continue increasing the last digit!". And I wish I had more time to work on the security issues. Fascinating topic. But there are so many fascinating topics and only 24hours plus the night per day... > On our external interfaces from our upstreams we deny packets with a > source address coming from one our network blocks. We also filter private addresses & martians. Sometimes a few of those come through. And on the outgoing interfaces we filter packets going to our own netblocks, so that we don't accidentially leak because of fucked up routing. And then there are the filters on the BGP4 sessions to prevent someone from injecting bogus routes into our AS (remember that EBGP learned routes take precedence over IGP, and more specific routes always take precendence, so if you don't filter correctly, someone might hijack one IP from your network). > Interesting enough, we don't observe many attacks - what we do see is LOTS > of broken end user configurations (leaking RFC 1918 networks, customers > leaking IP addresses from other ISPs, ...). Yeah. But it also helps to prevent smurf attacks etc. I do see a need for a RIPE Security WG to point these issues out to all ISPs/LIRs so at least those easy measures get taken. According to the annual report from last year, funding shouldn't be that much of a problem ;-) Sincerely, Lars Marowsky-Brie -- Lars Marowsky-Brie Network Management teuto.net Netzdienste GmbH
[ lir-wg Archives ]