[Dshield] Egress filtering

Deb Hale haled at pionet.net
Fri Mar 7 17:54:26 GMT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- -----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of Piet Barber
Sent: Friday, March 07, 2003 10:02 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Egress filtering


> If you have a Cisco, just add 'ip verify unicast reverse-path' to the
> configuration of your inside router interfaces.  Works great, 
> fast-switched and MLS-capable, no access lists needed.  If a packet 
> arrives with a source address that is not in the routing table for that 
> interface, it is dropped.  Piece of cake.  If you have a PIX, enable 
> anti-spoofing.

> You and I are in complete agreement. It's easy to do, doesn't have much 
> impact, it should be done at every edge. I wish more providers did this. 
> Do the little home routers do this (LinkSys, Dlink, et-all)?

	*****  If the Linksys routers do this, I would be very interested in HOW to do it.  
		 I am running Linksys at home and at the office and want to do everything I 
		 can to make sure that I am not aiding and abedding this activity ******* 
	

> If everybody did this simple trick forged IP source attacks would be a 
> thing of the past.  I want to know how to get there from here.   Would it 
> be possible to make a SPEWS type list for networks that are known to not 
> do any egress filtering?  Should people start pressuring the NSPs to start 
> cutting people off when they don't do this type of filtering? 

> But there is a flip side as well.  Should you allow 'bogons' 
> (RFC-1918,
> reserved, or unused netblocks) as destination addresses either? 

> That's why people should use Rob Thomas's Bogon list for filtering illegal 
> network blocks inbound and outbound. 

http://www.cymru.com/Bogons/index.html

The address list gets updated as new /8s get allocated to the IP 
Registries (RIPE, ARIN, APNIC, etc)


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPmjc0jxOOHZjYde8EQIEYwCeLzlufQ32ROJVTKAECEsRMSp1gtoAoLk/
Yc79ibJaJN43VugUdf/XRwuQ
=ntJP
-----END PGP SIGNATURE-----




More information about the list mailing list