Tracking stealth portscan/pepsi attacks
Gert Doering, Netmaster netmaster at space.net
Fri Sep 3 15:07:04 CEST 1999
Hi,
On Fri, Sep 03, 1999 at 02:18:58PM +0200, Lars Marowsky-Bree wrote:
> > On our external interfaces from our upstreams we deny packets with a
> > source address coming from one our network blocks.
>
> We also filter private addresses & martians. Sometimes a few of those come
> through.
While I'd like to do that, I'm still not sure what's worse - seeing
192.168.x.y addresses in an outgoing traceroute, or listening to customer
complaints about "why is there a line ' * * * ' in my traceroute output?
something must be wrong!" when filtering those.
So right now, I let packets with RFC addresses pass (from upstream, not
from our customers). But I still hope that people will stop using them
for transit networks.
> And on the outgoing interfaces we filter packets going to our own netblocks,
> so that we don't accidentially leak because of fucked up routing.
Interesting idea. I'm not sure how that problem could happen, but maybe
our network's topology is too simple :-)
> And then there are the filters on the BGP4 sessions to prevent someone from
> injecting bogus routes into our AS (remember that EBGP learned routes take
> precedence over IGP, and more specific routes always take precendence, so if
> you don't filter correctly, someone might hijack one IP from your network).
Plus filters for the transit networks on the usual exchange points
(DE-CIX, MAE-Frankfurt, etc.) - because that could hose up routing
massively if one of those networks appears in your iBGP...
Thanks for the tip with "filter bogus routes from our own network blocks",
I didn't yet think of that problem, but it's certainly worth considering.
> > Interesting enough, we don't observe many attacks - what we do see is LOTS
> > of broken end user configurations (leaking RFC 1918 networks, customers
> > leaking IP addresses from other ISPs, ...).
>
> Yeah. But it also helps to prevent smurf attacks etc.
Definitely - that's why I did it, but I just wanted to note that there
are (well, "we observe") much more misconfiguration problems than active
attacks.
Gert Doering
-- NetMaster
--
SpaceNet GmbH Mail: netmaster at Space.Net
Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0
80807 Muenchen Fax : +49-89-32356-299
[ lir-wg Archives ]