[LUGOS] Pipin Odprti Termin: Nekaj vzorcnih primerov z mize varnostnega centra SI-CERT

Jernej Horvat j+lugos at aufbix.org
Mon Apr 10 13:18:51 CEST 2006 

Morda vas bo zanimalo tudi to:

> From: Daniel Karrenberg <daniel.karrenberg at ripe.net>
> To: RIPE Mailing List <ripe-list at ripe.net>
> Subject: Proposal for a RIPE "IP Spoofing" Task Force
> List-Id: General announcements / discussions about RIPE <ripe-list.ripe.net>

> Dear colleagues,
> 
> unfortunately DoS amplification attacks are still with us.  There are
> indications that the damage caused by such attacks is increasing;
> certainly their visibility has increased recently.  The only way to
> effectively stop amplification attacks is to prevent IP source address
> spoofing.  Without spoofing there is no amplification and no obfuscation
> of the real source of DoS attack traffic.  RIPE needs to encourage
> operators to prevent IP source address spoofing.  Hence I propose to
> establish an "IP Spoofing" task force. 
> 
> I include a document outlining the motivation for the task force, a
> proposed charter and a proposed time-line; it also has a refeerence list
> that can be used to as a starting point to learn more. 
> 
> In order to collect suggestions and gather people working on the task
> force, I propose a BoF session at RIPE-52.  Tuesday around 17:15 after
> the plenary and before the social is a good time.  If you are interested
> I will see you there.  If you would like to help but you will not be in
> Istanbul, please contact me off-list with specifics of what you can
> contribute.  I am specifically looking for people from equipment vendors
> who can provide how-to documents and network operators who can relate
> deployment experiences. 
> 
> Daniel

> 
> Proposal for a RIPE "IP Spoofing" Task Force
> ============================================
> 
> Daniel Karrenberg
> 
> <daniel.karrenberg at ripe.net>
> 
> 1.0
> 
> Thu Apr  6 16:04:35 CEST 2006
> 
> 
> 
> Introduction
> ------------
> 
> IP source address spoofing is the practice of originating IP datagrams
> with source addresses other than those assigned to the host of origin. 
> In simple words the host pretends to be some other host. 
> 
> This can be exploited in various ways, most notably to execute DoS
> amplification attacks which cause an amplifier host to send traffic to
> the spoofed address. 
> 
> There are many recommendations to prevent IP spoofing by ingress
> filtering, e.g.  checking source addresses of IP datagrams close to the
> network edge. 
> 
> Most equipment vendors support ingress filtering in some form. 
> 
> Yet recently significant DoS amplification attacks have happened which
> would be impossible without spoofing. 
> 
> This demonstrates that ingress filtering is definitely not deployed
> sufficiently.  Unfortunately there are no direct benefits to an ISP that
> deploys ingress filtering.  Also there is a widely held belief that
> ingress filtering only helps when it is universally deployed. 
> 
> RIPE as an operational forum should promote deployment of ingress
> filtering at the network edge by creating a task force that raises
> awareness and provides indirect incentives for deployment. 
> 
> 
> 
> Proposed Charter
> ----------------
> 
> This task force shall 
> 
>    - raise awareness about this issue among network operators,
> 
>    - inform about operational methods to implement ingress filtering,
> 
>    and 
> 
>    - seek ways to provide incentives and benefits to operators 
>      that do implement ingress filtering.
> 
> 
> The taskforce shall have completed its task when 
> 
>    - network operators cannot reasonably claim not to be aware of the issue,
> 
>    - information about ways to deploy ingress filtering are readily available 
> 
>    and
> 
>    - and any incentives it may have devised have become available.
> 
> 
> The task force shall be disbanded when these tasks have been completed 
> or when there is consensus withing RIPE that completion of the tasks 
> is no longer realistic.
> 
> 
> 
> Suggested Time-Line 
> -------------------
> 
> RIPE-52: BoF and Establishment of Task Force
> 
> Quickly draft and publish RIPE recommendation citing existing work.
> Compile How-To with (pointers to) vendor documentation and operational
> experience reports.
> Establish liaison with MIT ANA Spoofer Project, promote their tools.
> Analyse Spoofer data for RIPE region.
> 
> 
> RIPE-53: Published RIPE Recommendation on Ingress Filtering
>          Published First Edition of "Ingress Filtering How-To"
>          First analysis of Spoofer data.
>          Discuss possible incentive schemes.
> 
> Revise and extend How-To.
> Devise possible incentive schemes like a "Source Address Clean" 
> network logo, suitable RIPE DB attributes ...
> 
> 
> RIPE-54: Published Second Edition of "IP Source Address Filtering How-To"
>          Further analysis of Spoofer data for RIPE region.
>          Launch of any incentive scheme.
> 
> Implement incentive scheme.
> Monitor progress and effectiveness.
> 
> 
> RIPE-55: Evaluation and Disbanding of Task Force
> 
> 
> 
> References
> ----------
> 
> RFC2827 
> Network Ingress Filtering: 
> Defeating Denial of Service Attacks which employ IP Source Address Spoofing
> http://www.ietf.org/rfc/rfc2827.txt
> 
> SSAC004
> Securing the Edge
> http://www.icann.org/committees/security/sac004.txt
> 
> SSAC008
> DNS Distributed Denial of Service (DDoS) Attacks 
> http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
> 
> ripe-66
> RIPE Task Forces
> ftp://ftp.ripe.net/ripe/docs/ripe-066.txt
> 
> MIT Spoofer Project
> http://spoofer.csail.mit.edu/

More information about the lugos-list mailing list