Re: [nsp] A cause for concern?

From: George Robbins (grr@shandakor.tharsis.com)
Date: Sun Aug 20 2000 - 15:13:43 EDT


There a fair about of info floating around about the limitations
and failings of private address space. You really can't assume
that anyone else will be filtering on your behalf.

If this kind of thing irritates you, the best thing is to look at
all of your own ingress/egress points, filter bogon source/dest
address and make sure you're running a tight ship. It can be
useful to make multi-entry access lists that break down the
packets by tcp/udp/icmp/ip so you can see more than numbers...

Private address do tend to leak in various ways, wayward packets
tend to follow default routes - ignoring the whole attack issue.

                                                George

> From cisco-nsp-request@puck.nether.net Sun Aug 20 08:09:28 2000
> Resent-Date: Sun, 20 Aug 2000 08:11:34 -0400
> Received-Date: Sun, 20 Aug 2000 08:09:35 -0400
> Date: Sun, 20 Aug 2000 05:09:31 -0700 (PDT)
> From: "Gerard N. West" <gnwest@yahoo.com>
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] A cause for concern?
> Resent-From: cisco-nsp@puck.nether.net
> X-Mailing-List: <cisco-nsp@puck.nether.net> archive/latest/3461
> X-Loop: cisco-nsp@puck.nether.net
> Precedence: list
> Resent-Sender: cisco-nsp-request@puck.nether.net
>
> On our border router, I have an inbound access list
> that, among other things, filters incoming packets
> with source addresses of private ip numbers. Recent
> activity suggest that packets with source addresses
> of private ip numbers have been attempting to enter
> our
> network:
>
> deny ip 10.0.0.0 0.255.255.255 any log (134 matches)
>
> I have log entries for attempts from 192.168.0.0
> 255.255.0.0 and 172.16.0.0 255.240.0.0 as well. In a
> months time 2500 matches were made from all three
> sources. Chances are that theses packets are coming
> to us with forged header information (spoofed) and are
> getting blocked at our wan filter. Or maybe there is
> a broken NAT inplementation somewhere. Although routes
> used for Internet traffic are based on the destination
> ip of the packet, not the actual source of the packet,
> and packets forged in this manner have no return path
> to those networks, so any traffic inbound can not
> possibly have a return, should I be concerned about
> these attempts? Would it be much for ISPs to filter
> these routes by source at their distribution or access
> layers (not in their core), or wherever they connect
> with with customers? Or, with some ISPs is it up to
> the "liitle guy" to do the filtering?
>
>
> =====
> Gerard N. West
> gnwest@yahoo.com



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:15 EDT