[nsp-sec] creative lying

Tue Sep 2 17:09:13 EDT 2008

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: John Fraizer [mailto:john at op-sec.us] 
> Sent: Tuesday, September 02, 2008 2:45 PM
> To: Smith, Donald
> Cc: Alfredo Sola; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] creative lying
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> And to add to that, it's quite a task to update the interface 
> config on thousands on customer-agg routers to add urpf.
We managed it but it did take MONTHS and then that little m40 urpf heap
bug bit us.

> 
> It's been an ongoing project for me for going on 2 years here 
> at the "new" gig and it has not been without its trials.

If you see any gotcha's let me know. 

> 
> John
> 
> Smith, Donald wrote:
> > ----------- nsp-security Confidential --------
> > 
> > No problem at all except who owns/manages the CPE (customer provided
> > equipment) and what is their payout for doing this?
> > 
> > I agree its a good idea how do we get our customers to perform that
> > filtering?
> > In many cases the guy setting up an enterprises router has 
> never heard
> > of cymru or seen cisco's security blue prints or read a 
> juniper manual
> > about security. They simply want to router to work and once 
> it begins
> > working they leave it alone.
> > 
> > 
> > 
> > Security through obscurity WORKS against some worms and ssh 
> attacks:)
> > Donald.Smith at qwest.com giac 
> > 
> >> -----Original Message-----
> >> From: nsp-security-bounces at puck.nether.net 
> >> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> >> Alfredo Sola
> >> Sent: Tuesday, September 02, 2008 11:48 AM
> >> To: nsp-security at puck.nether.net
> >> Subject: Re: [nsp-sec] creative lying
> >>
> >> ----------- nsp-security Confidential --------
> >>
> >>
> >>> thing works at all because so few people 
> use/deploy/maintain BCP-38
> >>> compliance.  This was an eye-opener for me.
> >> http://www.caida.org/workshops/wide/0808/slides/measuring_reve
> >> rse_paths.pdf
> >>
> >> 	I've been wondering for years, what is so complicated 
> >> about not letting
> >> spoofed packets out of CPE routers? Even at an aggregation level my
> >> experience is that it creates no issues at all, and it does 
> >> eliminate a
> >> source of potential (but all too often very real) trouble. 
> Plus, it's
> >> not anything even remotely complicated to deploy; in 
> Cisco-land, it's
> >> one sentence per interface - easily added to a template 
> (such as Team
> >> Cymru's excellent reference secure templates, which do have it).
> >>
> >> 	Perhaps this one is for -discuss.
> >>
> >> -- 
> >> Alfredo Sola
> >> ASP5-RIPE
> >> http://alfredo.sola.es/
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the 
> >> nsp-security
> >> community. Confidentiality is essential for effective 
> >> Internet security counter-measures.
> >> _______________________________________________
> >>
> >>
> > 
> > 
> > This communication is the property of Qwest and may contain 
> confidential or
> > privileged information. Unauthorized use of this 
> communication is strictly 
> > prohibited and may be unlawful.  If you have received this 
> communication 
> > in error, please immediately notify the sender by reply 
> e-mail and destroy 
> > all copies of the communication and any attachments.
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security counter-measures.
> > _______________________________________________
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with PCLinuxOS - http://enigmail.mozdev.org
> 
> iD8DBQFIvaXo+16lRpJszIgRAswyAJ9tKXbtL7WC7COnnMi2M12D45y2XACePWEa
> eI/AV/TIz3kKU3H6SR/bfH8=
> =Ur9m
> -----END PGP SIGNATURE-----
> 