Tracking stealth portscan/pepsi attacks
Poul-Henning Kamp phk at critter.freebsd.dk
Fri Sep 3 14:25:19 CEST 1999
In message <37CE556A.3B97A29E at insnet.net>, Leigh Porter writes: >"Gert Doering, Netmaster" wrote: > >> Hi, >> >> On Thu, Sep 02, 1999 at 10:44:39AM +0100, Leigh Porter wrote: >> > As a side note, does anybody use anything to prevent address spoofing in their >> > network? That would at prevent a lot of attacks completly and make tracing the >> > rest much easier. >> >> Sure we do. >> >> On our ingress interfaces to our customers, we have very strict access >> lists ("permit ip <customer net> any / deny ip any any log"). > >How do you manage large BGP customers with lots of networks? >I would also be interested to know performance hits on the routers >for this. You filter at your ingress points. If you have a leased-line customer you make sure they can't send from anything but the addresses they have from ripe. Dial up likewise. >I do recall soemthing Cisco implemented that checked you have a route back to >any source address that comes in on a suitably configured interface else it'll >drop the packet as being spoofed, this soulds good - anybody tried it? Hey, that sounds neat, more info ? -- Poul-Henning Kamp FreeBSD coreteam member phk at FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far!
[ lir-wg Archives ]