Date: Sat, 22 Jan 2000 01:42:57 -0800 (PST) From: "Dan Seafeldt, AZ.COM System Administrator" <yankee@az.com> To: Don Lewis <gdonl@tsc.tdk.com> Cc: security@FreeBSD.ORG Subject: Re: attack arbitration server Message-ID: <Pine.BSF.3.91.1000122012833.7170G-100000@gate.az.com> In-Reply-To: <200001220908.BAA16378@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That's very true. But at least the arbiter provides a starting point not necessarily a list where every entry is acted upon. Until more gateways at upper to tier-one that don't need to send an improbable source address have outbound filtering added, I guess this is hard to address. But even these spoofed packets may have a 'quality' about them that can be documented for the purposes described before. I had always envisioned something bigger that CISCO would get the RFC ball rolling along on these lines since they have the lion's share of the backbone, sort of a 'i don't like this source-address' message to be sent. At some point in the chain of routers during a reverse route trace back, the key router that was originally spoofed would figure out where the packet REALLY came from and realize it was different than the originally documented source address in its history/route table. Sort of like, Hey - I don't have a destination to you and I'm getting complaints about you I'll have to think about this some more. And now I'm off topic so I'll quit... But if I come up with more, I'll post it... I'm going to think about it because your point diminishes alot of the worth of my suggestion but not all of it. On Sat, 22 Jan 2000, Don Lewis wrote: > On Jan 22, 12:24am, "Dan Seafeldt, AZ.COM System Administrator" wrote: > } Subject: attack arbitration server > } > } > } Another idea... An option to send a special message upon attack to a > } central server at CDROM or other appropriate third party. Networks could > } 'elect' to be a part of an automatic notification service whereby a > } special block and note was made in the OS to alert of contacts from > } semi-blacklisted addresses. Other nearby intranet based machines could be > } quickly notified as well. In addition, the FreeBSD Host or firewall being > } notified could, upon sysadmin election, determine a level of 'throttle > } back' or complete filtration from this IP block should contact be made. > > What are you going to block if the source addresses in the attack packets > are forged? The attacker can easily insert the addresses of *.cdrom.com > and *.root-servers.net, which will cause you to automagically block access > to important servers in the Internet. That's a pretty nifty DoS. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.1000122012833.7170G-100000>