Tracking stealth portscan/pepsi attacks
Andre Oppermann oppermann at pipeline.ch
Tue Sep 7 15:10:49 CEST 1999
Leigh Porter wrote:
>
> "Gert Doering, Netmaster" wrote:
>
> > Hi,
> >
> > On Thu, Sep 02, 1999 at 10:44:39AM +0100, Leigh Porter wrote:
> > > As a side note, does anybody use anything to prevent address spoofing in their
> > > network? That would at prevent a lot of attacks completly and make tracing the
> > > rest much easier.
> >
> > Sure we do.
> >
> > On our ingress interfaces to our customers, we have very strict access
> > lists ("permit ip <customer net> any / deny ip any any log").
>
> How do you manage large BGP customers with lots of networks?
> I would also be interested to know performance hits on the routers
> for this.
Last month I described the idea of an special prefix access list on
de.comm.internet.routing that basically solves that problem.
The syntax would look something like this:
'access-list 1000 permit bgp-neighbor 1.2.3.4 received-networks'
'access-list 1100 permit bgp-neighbor 1.2.3.4 announced-networks'
It simply conscructs an automatic ip prefix access-list based on the
prefixes received/announced to/from the BGP peer. This has the cute
side effect that all ip filters can be done in one place; the bgp
configuration.
The 'permit received-networks' part looks pretty promising for an
easy implementation because the router has to perform an bgp table
lookup anyway for each incoming ip packet. It simply adds a compare
to find the neighbor. The filtering on announced networks looks
much more problematic to implement but it's not that important.
Sure, this will eat some CPU but IMO not more than 10%.
I've suggested this feature to cisco and they promised that they'll
contact me tomorrow to discuss this further.
As soon as I get cisco to think deeper about this I'll post here
again with contacts so that you can voice your support too for this
feature.
--
Andre Oppermann
CEO / Geschaeftsfuehrer
Internet Business Solutions Ltd. (AG)
Hardstrasse 235, 8005 Zurich, Switzerland
Fon +41 1 277 75 75 / Fax +41 1 277 75 77
http://www.pipeline.ch ibs at pipeline.ch
[ lir-wg Archives ]