[Dshield] XP and security
Johannes B. Ullrich
jullrich at euclidian.com
Wed Nov 28 15:20:58 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Can't help myself but to inject my own $ 0.02 into the XP raw socket
discussion. Personally, I am a bit split about it. I always applaud
if MSFT adheres to industry standard. On the other hand, I somewhat
agree with Steve Gibson on this, that raw sockets are just not
required in everyday live.
Whichever way is the right, I think the impact is minimal. The most
important defense against spoofed sources is that ISPs implement good
egress filters. I think it was explained before: egress filters insure
that you only allow packets out that have a source IP which is assigned to
you. Most routers, by default, do not look at the source IP. It is not
necessary to route a packet to its destination. However, if you are an
ISP, and you are using the netblock 555.555.555.0/24, there is no reason
to allow anything else out.
The practical problem with these egress filters is that they are simple
for small ISPs. But small ISPs usually don't have the extra dollars to
pay for the better router. For larger ISPs, these filters can become more
complex and difficult to maintain. Whichever way, it should be done and
many ISPs do it.
Just for completeness: ISPs can also implement ingress filters. These
basically look at the source IP of inbound packets. However, they are less
effective, as there are only a number of unused netblocks (and internal
netblocks) that can be blocked.
Overall it comes down to money... All of these filters and such cost. Just
ask yourself about how you pick an ISP. Are you asking for egress filters
or are you asking for 'how much per month'?
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list