[Dshield] Egress filtering

Piet Barber pbarber at pietbarber.com
Fri Mar 7 02:23:42 GMT 2003


The 'net will forever be victim of DDOS attacks from forged addresses
until a sizeable portion of the sites on the Internet start doing egress
filtering -- not allowing any packets out of your network that aren't in
your netblock.

For instance, I have a small network w.x.y.z/28.  There is absolutely no
excuse as to why my network should ever allow any packet to leave it with
a source address outside of that netblock.

I don't understand why it is so easy for bad guys to make a collection of
zombies that are capable of doing forged address attacks.  These things
should be filtered at every network where the zombies reside.  Perhaps I'm
too naive.

I run some big-time name servers at work, and you would be shocked at the
number of RFC 1918 sourced IP addresses that we filter (before they get to
the name server)  Ok, maybe you wouldn't.  I don't believe the
1918-sourced DNS queries are malicious, just because of incompetence.

As far as I understand it, egress filtering at the edge isn't done
because:

1) network admins clue factor too low
2) network admins time to maintain egress lists is non-existent
3) router hardware already CPU-maxed, and incapable of any more work
4) Nobody's doing it, why should we?! / It's not seen as common practice?
5) Networks don't suffer legal liability if they allow such forgeries to 
escape their networks. 

Could we get some discussion started about this?  Especially about how
Dshield could maybe help along with this important subject.

We can keep track of machines that have been doing subseven probes until
we're blue in the face.  But until somebody does something about the
apparent ease for the bad guys to forge packets, we're all screwed.




More information about the list mailing list