From: Bluefish [11a@GMX.NET] Sent: Sunday, May 07, 2000 2:14 PM To: VULN-DEV@SECURITYFOCUS.COM Subject: Re: Networking theories I recieved a request for the email I had in mind as a private email. I figgured it might be usefull readings for several others as well. The email I hand in mind was from CIAC (not CERT, typo): http://www.ciac.org/ciac/bulletins/k-032.shtml Related / similar pappers found with altavista: http://www.royans.net/insync/ddos/bugtraq_ddos1.shtml http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt http://www.cisco.com/warp/public/707/newsflash.html http://www.sans.org/y2k/egress.htm (the CIAC paper is the best, IMHO) None of these papers actually describes how to protect against the attack mentioned in the original mail, but the attack wouldn't be possible if all mayor ISPs used EGRESS filtering. The papers does neither have a solution against any DDoS which sends correct, unspoofed packets. Additionally, Linux firewalls/routers could be setup to maximum anti-spoof security using: if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "FIREWALL: Enabling kernel IP spoofing protection... " for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "2" > $f done echo "done." fi ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team > Any idea on where to obtain a copy of this email? Im not exactly a large > ISP, but I do deal with a few large networking situations. > > ----- Original Message ----- > From: "Bluefish" <11a@GMX.NET> > To: > Sent: Friday, May 05, 2000 5:06 PM > Subject: Re: [VULN-DEV] Networking theories > > > > > victim.org(spoofed) ---> ICMP(source-quench) ---> > > > router.victim.org > > > > Actually, there was a email from... cert (I think) ... intended for larger > > companies and ISPs with guidelines for combating DDoS. Among those > > guidelines there was recommendations of checking source IP. So it's a > > known problem which responsible ISPs will stop (but probably most doesn't) > > > > ..:::::::::::::::::::::::::::::::::::::::::::::::::.. > > http://www.11a.nu || http://bluefish.11a.nu > > eleventh alliance development & security team