Re: [spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier

  • To: Martin Hannigan hannigan@localhost
  • From: Gert Doering gert@localhost
  • Date: Tue, 17 Oct 2006 08:45:55 +0200
  • Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=Lrh+5v/u+qxCpptifSKwhKg9oCB8J/+GMctuC78xQgRpP9QTJN0rXb6BWUm6yxzJ ;

Hi,

On Mon, Oct 16, 2006 at 08:27:52PM -0400, Martin Hannigan wrote:
> Clearly, BCP 38 is called for so I'll start here. My interpretation of
> it is applied
> to ingress traffic. In my day of hands on router configuration, this meant 
> that
> router performance would be dragged down the drain. I suspect that this is 
> not
> necessarily the case, depending upon router type these days.

Recent gear should be able to do the anti-spoofing filtering at the edge 
without serious performance impact.

> At the edge, I'm deploying 6709's with 1gb uplinks. The future is
> obviously 10gb, which these boxes will likely deliver in their 3 to 5
> year life expectancy.
> 
> 1. What should I expect performance wise? Im running big iron, but Im more
>   concerned with my legacy little iron, ie 7500 series with 512MB RAM, etc.

... specifically, 650x/760x with Sup720 and activated "uRPF" filtering
will do all the filtering in hardware, with no noticeable impact on
performance.

For "legacy little iron", it depends on how loaded the box really is.  uRPF
is done using the CEF structures (not with ACLs), so it's "fairly cheap",
but it *will* cause extra work for RSP or VIPs - and if you're already
at 95% CPU load, this might be too much.  (But then you should upgrade
anyway...)

> 2. bcp 38 was published in 2000. Still relevant in most peoples eyes

Still relevant.

>    or have the miscreants changed tactics enough where it doesn't
> matter and that a ddos
>   defense may be cheaper/smarter/wiser? I understand that part of the ddos
>   mechanism working against us is spoofed traffic, but so what? If I
>   go through  the effort of compliance, won't they just move to some
> other attack vector?
>   [rhetorical for the record]

It will remove whole classes of possible DDoS attacks, like "DNS reflection".

DDoS attacks are still possible, but with un-spoofed addresses, you can
at least know where the stuff is coming from, and try to quench it at
the source.

> 3. Is there any common breakdown in the network that folks have seen? 
> "Woops!"
>   so to speak..

Don't enable ingress filtering on backbone links with asymmetric traffic.

This is something for the customer edge.

> 4. Anyone have any problem using this page as a reference for the 
> implementation
>   reference as well as the BCP?
> 
>  http://www.cisco.com/warp/public/707/iacl.html

This is something else - this is not "anti-spoofing filtering", but 
"leave my routers alone!"-filtering.

You want both...

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  98999

SpaceNet AG                    Mail: netmaster@localhost
Joseph-Dollinger-Bogen 14      Tel : +49-89-32356-0
D- 80807 Muenchen              Fax : +49-89-32356-234