[Dshield] Scanning from 127.0.0.1

John Hardin johnh at aproposretail.com
Fri Sep 26 15:28:10 GMT 2003


On Thu, 2003-09-25 at 19:18, Doug White wrote:
> 
> I can see no reason to look to ISPs to do filtering for you, when that
> action could block legitimate users of the ports in question.

We're discussing ingress/egress filtering here, which has much more
easily defined boundaries for "proper handling" than port filtering
does. ISP's arguably *do* have a responsibility to do ingress and egress
filtering, it's just that very few do.

1) 127.0.0.0/8 has no business on the wire. Period. It should be
discarded on all routers, source IP or destination IP. Period. (Yes, I
know, dest=127.x.x.x shouldn't ever *make* it onto the wire in the first
place. Defense in depth.)

2) Reserved private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) have
no business on the Internet. Period. They should be discarded on all ISP
backbone boundary routers, source IP or destination IP. Period. Unless
the ISP is for some reason assigning their clients reserved IP
addresses, their client-side routers (e.g. DSL and dialup concentrators)
should also discard those ranges, source IP or destination IP. Period.
If they are assigning their clients reserved private IPs, than only the
blocks they are using should be permitted on the client-side routers. 

Discarding bad-dest-IP traffic in (1) and (2) can be achieved cheaply
through routing table entries (vs. packet filtering), and many ISPs *do*
do this. Few, however, filter on *source* IP addresses.

3) On ISP client-side routers, any inbound traffic with a source address
that does not fall within the IP range(s) assigned to that client should
be discarded. Period.

4) On ISP backbone routers, any outbound traffic with a source address
that does not fall within the IP range(s) assigned to that ISP should be
discarded. Period. Alternatively (or additionally) the backbone
providers can do the filtering for inbound traffic on their client feeds
- view it as the backbone provider acting as the "ISP" in case (3)
above.

I have repeatedly asked Sprintlink to do this and they repeatedly say
(1) there is no customer demand for it (2) it would cost too much (3)
open a case for a specific instance of abuse and we'll work to correct
it (that specific case, I presume).

In addition to Jon's "Public Squeaking" plan, I would like to add: buy
shares in the major backbone providers, and become a stakeholder. If
enough of us do this, we may be able to force change from the top down:
get ingress/egress filtering on a shareholder ballot and vote it in as a
company policy. 

Comments?

--
John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  There is no problem that cannot be solved by the appropriate
  application of high explosives.
-----------------------------------------------------------------------
 40 days until Matrix Revolutions




More information about the list mailing list