[Dshield] Egress filtering

Jeff Kell jeff-kell at utc.edu
Fri Mar 7 05:28:29 GMT 2003


Piet Barber wrote:
> The 'net will forever be victim of DDOS attacks from forged addresses
> until a sizeable portion of the sites on the Internet start doing egress
> filtering -- not allowing any packets out of your network that aren't in
> your netblock.
> 
> For instance, I have a small network w.x.y.z/28.  There is absolutely no
> excuse as to why my network should ever allow any packet to leave it with
> a source address outside of that netblock.

If you have a Cisco, just add 'ip verify unicast reverse-path' to the 
configuration of your inside router interfaces.  Works great, 
fast-switched and MLS-capable, no access lists needed.  If a packet 
arrives with a source address that is not in the routing table for that 
interface, it is dropped.  Piece of cake.  If you have a PIX, enable 
anti-spoofing.

This is technically ingress filtering at the ingress points of your 
inside network, but functions equally as an egress filter -- no way to 
get a source address not in your netblock in the first place.

But there is a flip side as well.  Should you allow 'bogons' (RFC-1918, 
reserved, or unused netblocks) as destination addresses either?  Sure, 
bogon destinations won't get very far on your inside network, but do you 
allow them to egress?  If you use a default route with no filtering you 
will do just that.

Jeff




More information about the list mailing list