[unisog] IPS

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Feb 9 19:07:16 GMT 2005


On Wed, 09 Feb 2005 11:10:05 MST, "Bauer, Steven J." said:
> Would the spoofed ips really be a problem depending on where the ips is
> deployed at?  Normally, the spoofed ip packets should be blocked by some
> router(s) that have an idea of what ip packets they should forward.
> Basically, the defense in depth method rather then depending on one
> device to do it all.

The problem is that the only routers suitably set up for that are the
ones netwise close to the source.  Inside AS1312, we *know* where packets
with our netblocks "should" be coming from, and we can filter down to the
subnet level easily (and even further if really needed).  The first few
hops inside AS7066 (NetworkVirginia) and the Abeline side of the fence
likewise "know".  I *was* going to say "Once Sprint gets hold of the
traffic from NetworkVirginia, all bets are off".. but I thought to do a
traceroute from here to your mail server:

traceroute hardrock.sdsmt.edu
traceroute to hardrock.sdsmt.edu (151.159.81.240), 30 hops max, 38 byte packets
 1  isb-6509-1.vl103.cns.vt.edu (128.173.12.1)  0.577 ms  0.412 ms  0.348 ms
 2  isb-6509-2.vl710.cns.vt.edu (128.173.0.82)  0.506 ms  0.405 ms  0.327 ms
 3  isb-7606-2.ge1-1.cns.vt.edu (192.70.187.218)  0.516 ms  0.550 ms  0.532 ms
 4  atm10-0.10.wtn2.networkvirginia.net (192.70.187.210)  10.592 ms  6.337 ms  6.505 ms
 5  192.70.138.22 (192.70.138.22)  7.726 ms  6.504 ms  7.708 ms
 6  abilene-rtr.maxgigapop.net (206.196.177.2)  7.132 ms  17.226 ms  6.994 ms
 7  nycmng-washng.abilene.ucaid.edu (198.32.8.84)  24.664 ms  11.089 ms  11.095 ms
 8  chinng-nycmng.abilene.ucaid.edu (198.32.8.82)  51.618 ms  31.990 ms  39.095 ms
 9  iplsng-chinng.abilene.ucaid.edu (198.32.8.77)  252.459 ms  245.575 ms  254.120 ms
10  mn-abilene.northernlights.gigapop.net (192.42.152.170)  58.750 ms  56.977 ms  63.212 ms
11  sd-i2r.northernlights.gigapop.net (192.42.152.189)  69.949 ms  67.362 ms  74.673 ms
12  206.71.32.10 (206.71.32.10)  116.981 ms  100.822 ms  108.037 ms

Nope, those packets went out the Abeline side of our swamp.

What filter should your site apply?  What filter should northernlights apply?

(Basically, the only real answer is "Abeline and NetworkVirginia need to do
ingress-filter of our exiting traffic" - once it gets past there, forget it....)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050209/5834b6b2/attachment-0002.bin


More information about the unisog mailing list