[Dshield] Egress filtering
jeff-kell at utc.edu
Fri Mar 7 05:28:29 GMT 2003
Piet Barber wrote:
> The 'net will forever be victim of DDOS attacks from forged addresses
> until a sizeable portion of the sites on the Internet start doing egress
> filtering -- not allowing any packets out of your network that aren't in
> your netblock.
> For instance, I have a small network w.x.y.z/28. There is absolutely no
> excuse as to why my network should ever allow any packet to leave it with
> a source address outside of that netblock.
If you have a Cisco, just add 'ip verify unicast reverse-path' to the
configuration of your inside router interfaces. Works great,
fast-switched and MLS-capable, no access lists needed. If a packet
arrives with a source address that is not in the routing table for that
interface, it is dropped. Piece of cake. If you have a PIX, enable
This is technically ingress filtering at the ingress points of your
inside network, but functions equally as an egress filter -- no way to
get a source address not in your netblock in the first place.
But there is a flip side as well. Should you allow 'bogons' (RFC-1918,
reserved, or unused netblocks) as destination addresses either? Sure,
bogon destinations won't get very far on your inside network, but do you
allow them to egress? If you use a default route with no filtering you
will do just that.
More information about the list