On 04-May-01 Bjoern Engels wrote:
I don't think automatic dropping of the routes is a good idea. What if an attacker spoofs the source address using ip addresses of a router you are attached to, your name server's ip address or the ip-addresses of the root name servers ? This would be a nice and pretty easy DoS.
This only happens if you use tools like portsentry with its defaults and do not exclude certain ip addresses from being dropped (namely routers, switching routers, your own static ip, etc.). If you�d get caught by such a "DoS" using portsentry you�d basically suffer from a RTFM problem ... ;-) Furthermore, portsentry/guardian can be set to notify-only so that routes don�t get dropped for real but get written into a log file for later inspection. This can be monitored for a while to learn more about the tool�s behaviour. Additional measures concerning IP spoofing can be introduced by tightly configuring a packet screening/stateful firewall based on ipchains/netfilter, making sure that spoofing attempts with local IPs, source routed packages and other martians are blocked.
Bjoern Engels Trainer & Consultant LANWORKS AG
---
Boris Lorenz