[Dshield] Egress filtering

Piet Barber pbarber at pietbarber.com
Fri Mar 7 16:02:23 GMT 2003


> If you have a Cisco, just add 'ip verify unicast reverse-path' to the 
> configuration of your inside router interfaces.  Works great, 
> fast-switched and MLS-capable, no access lists needed.  If a packet 
> arrives with a source address that is not in the routing table for that 
> interface, it is dropped.  Piece of cake.  If you have a PIX, enable 
> anti-spoofing.

You and I are in complete agreement. It's easy to do, doesn't have much 
impact, it should be done at every edge. I wish more providers did this. 
Do the little home routers do this (LinkSys, Dlink, et-all)?

If everybody did this simple trick forged IP source attacks would be a 
thing of the past.  I want to know how to get there from here.   Would it 
be possible to make a SPEWS type list for networks that are known to not 
do any egress filtering?  Should people start pressuring the NSPs to start 
cutting people off when they don't do this type of filtering? 

> But there is a flip side as well.  Should you allow 'bogons' (RFC-1918, 
> reserved, or unused netblocks) as destination addresses either? 

That's why people should use Rob Thomas's Bogon list for filtering illegal 
network blocks inbound and outbound. 

http://www.cymru.com/Bogons/index.html

The address list gets updated as new /8s get allocated to the IP 
Registries (RIPE, ARIN, APNIC, etc)




More information about the list mailing list