|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Automatic filtering - CISCO, you should think about this...
Karl Denninger writes...
> How about an interface keyword such as "auto-inbound-filter", which does
> this:
>
> At STARTUP and when the LOCAL route table changes (ie: "ip route
> xxx..." statements) the system looks at the interfaces, and the
> local static routes, and builds an accept list for that interface.
> The list is stored in a "reserved" set of system access lists.
>
> Add a parmaeter which can be turned on (ie: log) which would add
> "log" to the end of the filter lists, so that anyone TRYING to smurf
> will get logged
>
> This would totally automate the process of inbound filtering to prevent or
> severely limit smurf attacks.
>
> Since filters which are based only on the source address are relatively
> cheap for the router to process, this would likely not seriously burden
> anyone in their direct connections.
>
> I'd love to see something like this, and it would reduce the complaint that
> its "too hard to manage" such things.
How about having "no-auto-inbound-filter" instead, making the default in all
new versions of IOS be to run this essential level of protection, providing
a means to turn it off only for those who know they need to turn it off.
--
Phil Howard | a6b5c8d2@spam4mer.org suck6it2@no90ads4.org stop6ads@anyplace.edu
phil | w0x8y2z4@nowhere5.edu stop5ads@anyplace.org a3b4c7d6@dumbads3.org
at | ads6suck@spam0mer.net end3ads1@no95ads2.net stop1ads@noplace2.org
milepost | end5it79@no2where.net die3spam@s0p0a4m7.net eat05me6@dumbads3.org
dot | end7ads9@no52ads9.edu ads5suck@no9place.net stop7074@lame9ads.edu
com | no9spam1@lame5ads.org no94ads1@no96ads0.net stop5ads@nowhere7.net
|