|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Networking theories
From: Bluefish (11a
GMX.NET)Date: Sun May 07 2000 - 13:13:36 CDT
- Next message: Bluefish: "Re: ethernet cards & promisc mode"
- Previous message: Blue Boar: "Re: I love you Author evidence ?"
- Next in thread: Aussie: "Re: Networking theories"
- Maybe reply: Bluefish: "Re: Networking theories"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I recieved a request for the email I had in mind as a private email. I
figgured it might be usefull readings for several others as well.
The email I hand in mind was from CIAC (not CERT, typo):
http://www.ciac.org/ciac/bulletins/k-032.shtml
Related / similar pappers found with altavista:
http://www.royans.net/insync/ddos/bugtraq_ddos1.shtml
http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt
http://www.cisco.com/warp/public/707/newsflash.html
http://www.sans.org/y2k/egress.htm
(the CIAC paper is the best, IMHO)
None of these papers actually describes how to protect against the attack
mentioned in the original mail, but the attack wouldn't be possible if all
mayor ISPs used EGRESS filtering. The papers does neither have a solution
against any DDoS which sends correct, unspoofed packets.
Additionally, Linux firewalls/routers could be setup to maximum anti-spoof
security using:
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "FIREWALL: Enabling kernel IP spoofing protection... "
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "2" > $f
done
echo "done."
fi
..:::::::::::::::::::::::::::::::::::::::::::::::::..
http://www.11a.nu || http://bluefish.11a.nu
eleventh alliance development & security team
> Any idea on where to obtain a copy of this email? Im not exactly a large
> ISP, but I do deal with a few large networking situations.
>
> ----- Original Message -----
> From: "Bluefish" <11aGMX.NET>
> To: <VULN-DEVSECURITYFOCUS.COM>
> Sent: Friday, May 05, 2000 5:06 PM
> Subject: Re: [VULN-DEV] Networking theories
>
>
> > > victim.org(spoofed) ---> ICMP(source-quench) --->
> > > router.victim.org
> >
> > Actually, there was a email from... cert (I think) ... intended for larger
> > companies and ISPs with guidelines for combating DDoS. Among those
> > guidelines there was recommendations of checking source IP. So it's a
> > known problem which responsible ISPs will stop (but probably most doesn't)
> >
> > ..:::::::::::::::::::::::::::::::::::::::::::::::::..
> > http://www.11a.nu || http://bluefish.11a.nu
> > eleventh alliance development & security team
- Next message: Bluefish: "Re: ethernet cards & promisc mode"
- Previous message: Blue Boar: "Re: I love you Author evidence ?"
- Next in thread: Aussie: "Re: Networking theories"
- Maybe reply: Bluefish: "Re: Networking theories"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]