LINUX SECURITY --- June 19, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters __________________________________________________________________________ ______ HIGHLIGHTS * Can egress filtering prevent denial of service attacks? Steve Gibson seems to think so, and he thinks ISPs should be responsible for implementing it. __________________________________________________________________________ ____ New Tool to Hold ISPs Accountable By Rick Johnson An article posted on Newsbytes (http://www.newsbytes.com/news/01/166814.html) reported that Steve Gibson, president of Gibson Research Corp. (http://www.grc.com), is developing a free tool that will hold ISPs responsible that have not implemented egress filtering. Gibson's utility, which will be called Spoofarino, enables Internet users to test whether their ISPs allow them to send forged or "spoofed" packets of data to Gibson's Web site. A spoofed packet conceals the sender's computer's true Internet protocol address, making it appear to come from another machine. According to Gibson, network administrators have long known that spoofing is a problem, but the issue has become dire since the technique is being used to conceal the perpetrators' identities in denial of service attacks. "Once an invalid packet leaves the ISP and gets loose on the Internet, back-tracking it is virtually impossible, but every ISP has border routers connecting their internal network out onto the Internet. Those routers could have a line of code added to their rules that says, 'is the return address valid? If not, drop it,'" Gibson told Newsbytes. However, Gibson says that very few ISPs currently use egress filtering, and believes it is time to hold them responsible. Besides enabling users to test whether they can produce packets with bogus return addresses, Spoofarino will allow them to add their test results to a virtual "hall of shame" constructed at Gibson's site. "I want to give ISPs credit for taking this responsibility, and I want to hold those responsible who don't," said Gibson. Besides helping to snuff out DDoS attacks, egress filtering could prevent attackers from performing "stealth" port scans of remote computers to look for vulnerabilities. The downside of egress filtering, it is incredibly more CPU and memory intensive for the ISP's router. Most ISPs won't consider upgrading their equipment a cost effective option. When it becomes available later this summer, Spoofarino may create a public relations headache for ISPs that are not filtering spoofed packets. Having been in this position before, I'm not completely sure if this entire program is a good idea. A tool that identifies the problem is absolutely needed; although listing those without it in a "Hall of Shame" is a bit fanatical. Sure, they should do whatever is in their power to prevent DDoS attacks, but the answer isn't always as black and white as some would like to think. The perpetrators are still the bad guys, not the ISPs. About the author(s) ------------------- Rick Johnson is currently involved in a number of projects, none of which he can discuss at this time. Aren't non-disclosure agreements wonderful? When not involved with those, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. __________________________________________________________________________ ______ ADDITIONAL RESOURCES Web Spoofing: An Internet Con Game http://bau2.uibk.ac.at/matic/spoofing.htm IP-spoofing Demystified http://www.fc.net/phrack/files/p48/p48-14.html Egress Filtering v 0.2 http://www.sans.org/y2k/egress.htm Why Egress Filtering Can Benefit Your Organization http://www.sans.org/newlook/resources/IDFAQ/egress_benefits.htm __________________________________________________________________________ ______
<<attachment: winmail.dat>>