North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco says attacks are due to operational practices

  • From: Richard Steenbergen
  • Date: Thu Feb 10 22:01:22 2000

On Thu, Feb 10, 2000 at 06:13:56PM -0800, Chris Cappuccio wrote:
> Filtering incoming our outgoing ports for anybody's network but your own (not
> your customer's) is wrong.  You know specifically what apps you are running.  
> How can you know what your customer is running or what they want to do ?
> If the customer is aware this is happening or even requests this type of
> firewall service, that's great.  But to filter ports on backbone routers is
> stupid.
> On Thu, 10 Feb 2000, John M. Brown wrote:
>  | 
>  | We have always built martian filters on our edge routers.  In addition we
>  | built specific filters for ports that are not used, or are bad on the net.
>  | 
>  | No matter what the customers router is doing, ours will drop 1918 and other
>  | IP blocks, and ports.
>  | 
>  | This can be automated and can be deployed over a reasonable period of time.
>  | Most MAJOR backbone providers do not do this, wish they would

Filtering traffic sourced from 1918 space is also stupid. There is
absolutily nothing wrong with this traffic. There is something wrong with
knowing how to get to 1918 space that is not on your network or trying to
tell someone else how to get to your 1918 space, but the traffic itself is
totally legit, for example as a return in a traceroute from a hop that is
numbered in 1918 space. I am continueingly amazed how many people say
"well we filtered 1918 space that will reduce the size of the attack".
RFC1918 space is 6% of the available IPv4 address space. Infact the only
traffic that should NOT be on the internet is from the loopback class A, so if you want to filter something useful why don't you try

access-list 1911 permit
access-list 1911 deny
access-list 1911 deny 224 0.0.0
access-list 1911 permit any

Thats a 35.9% reduction in the random sourced attacks, and takes care of
multicast space sourced packets which you should never see either.

Richard A. Steenbergen <[email protected]>
PGP Key ID: 0x60AB0AD1  (E5 35 10 1D DE 7D 8C A7  09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA