[Dshield] XP and security

Johannes B. Ullrich jullrich at euclidian.com
Wed Nov 28 15:20:58 GMT 2001

Hash: SHA1

Can't help myself but to inject my own $ 0.02 into the XP raw socket 
discussion. Personally, I am a bit split about it. I always applaud
if MSFT adheres to industry standard. On the other hand, I somewhat
agree with Steve Gibson on this, that raw sockets are just not
required in everyday live.

Whichever way is the right, I think the impact is minimal. The most 
important defense against spoofed sources is that ISPs implement good 
egress filters. I think it was explained before: egress filters insure 
that you only allow packets out that have a source IP which is assigned to 
you. Most routers, by default, do not look at the source IP. It is not 
necessary to route a packet to its destination. However, if you are an 
ISP, and you are using the netblock 555.555.555.0/24, there is no reason 
to allow anything else out.

The practical problem with these egress filters is that they are simple 
for small ISPs. But small ISPs usually don't have the extra dollars to 
pay for the better router. For larger ISPs, these filters can become more 
complex and difficult to maintain. Whichever way, it should be done and 
many ISPs do it.

Just for completeness: ISPs can also implement ingress filters. These 
basically look at the source IP of inbound packets. However, they are less 
effective, as there are only a number of unused netblocks (and internal 
netblocks) that can be blocked.

Overall it comes down to money... All of these filters and such cost. Just 
ask yourself about how you pick an ISP. Are you asking for egress filters 
or are you asking for 'how much per month'?


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the list mailing list