Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISPs And Router Security

Posted by Cliff on from the would-this-break-something? dept.

IPvNOT asks: "With all the script kiddies and distributed denial of service tools that spring up each week, there is an increasing use of spoofed network addresses. It would seem logical to me, to help control some of the problem, for ISP's to install a simple access control list (ACL) entry that blocks all packets that do not contain an address within their 'internal' network. How hard would this be to implement on a large scale? Would ISPs implement this?" I would think that an ISP would be able to block and drop anything they receive from the outside if its IP address starts with '192.168.', '127.' or '10.', and there are several others that can be screened for -- are there reasons that ISPs don't do this?

2 of 199 comments (clear)

  1. Re:Some ISPs will by villeww · · Score: 5

    See RFC2827 , which describes the Best Current Practice for doing Ingress Filtering. Just the thing needed to block most of the DDoS attacks.

  2. Routing and security by Gondola · · Score: 5

    I worked at a major internet provider for over 2 years, and when I left I was Senior Network Engineer, with only the head of the engineering department above me, and above him was the CTO. We had over a dozen POPs (Points of Presence), and OC3 lines strung from MAE East to MAE West and many points between, and OC12's being installed. So, let's assume I can speak slightly to this issue.

    With a major provider, your hardware is going to be big enough (BFR, GRF, etc) to handle 60,000+ routes AND do adequate security filtering. Don't accept the RFC'd routes in, and don't propogate them. Period. Don't accept internal routes from external sources. These are simple rules any major provider *can* handle if they can handle a full routing table. We're talking edge routers.

    Smaller providers who are multi-homed and that lease dialups wholesale are a problem, though. Their dialups have IPs that don't belong to them. They often don't have the expertise to configure their ACLs correctly, and leave gaping holes in their security. Sometimes we'd scan our customers' routers with SNMP probes and find a lot of default SNMP passwords for read *AND* write access to their router, and we'd let them know to button up their router. One of our routers would occasionally get flooded with extra routes from a customer (we had lousy filtering) and the resulting flood of traffic would kill the customer's router. The first sign of this would be the customer's line going down. We were understaffed and used several different kinds of routers, so ACL's varied slightly between platforms because of the way they had to be written.

    My point is that you need three things for merely minimal security (just by IP blocks):

    Hardware: a router with enough CPU and enough RAM
    Expertise: engineers that know how to write ACLs for the IOS you're using
    Priority: your engineers have to have the time to actually sit down and get the ACLs updated on all the routers correctly

    Unfortunately, I don't think there are many providers that have all of these.