Hello,
This discussion started on Bugtraq on the 'DDOS Attack Mitigation'
thread;
there seem to be quite a bit of confusion as of the purpose rp_filter;
I've
talked with some admins and many were relying on rp_filter to filter
_spoofed packets_. Basically only firewall rules seem to do the job
well.
I was initially suggesting that Linux provides a way to drop outgoing
packets
with source address that doesn't match any local interface, say using a
lookup
table that could be occasionally sorted according to an interface's avg.
usage;
i was told that rp_filter drops spoofed packets; i was able to route a
spoofed
packet well with an unexisting source address through my router with
rp_filter
on an firewall ingress filtering off; the packet arrived to destination.
Please forgive me if this was alerady discussed; I think at least the
documentation
should be a bit more clear and explain that rp_filter does not protect
against
IP spoofing at all, and does not do ingress filtering. It's obvious and
somewhat
documented, but some admins still rely on rp_filter to do ingress
filtering, and
that might be part of the problem.
>From 2.2.14's Configure.help:
> If you turn on IP forwarding, you will also get the rp_filter, which
> automatically rejects incoming packets if the routing table entry
> for their source address doesn't match the network interface they're
> arriving on. This has security advantages because it prevents the
> so-called IP spoofing, however it can pose problems if you use
> asymmetric routing (packets from you to a host take a different path
> than packets from that host to you) or if you operate a non-routing
> host which has several IP addresses on different interfaces. To turn
> rp_filter off use:
>
> echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
> or
> echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
And from networking/ip-sysctl.txt:
> rp_filter - INTEGER
> 2 - do source validation by reversed path, as specified in RFC1812
> Recommended option for single homed hosts and stub network
> routers. Could cause troubles for complicated (not loop free)
> networks running a slow unreliable protocol (sort of RIP),
> or using static routes.
>
> 1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
> that look as sourced at a directly connected interface, but
> were input from another interface.
>
> 0 - No source validation.
I must be missing something, but isn't rp_filter just making some admins
thinking spoofed traffic won't go through? I think an optional feature
that would
do source address verification against lookup table, given enough
optimization,
could be a big help in reducing DOS attacks from Linux boxes.
I know, it's the border router's job - but working w/ an isp that does
colocation,
we can't trust the LAN and most harmful attacks of course come from the
inside, also
think of boxes with a direct Internet connection.
Need more info on DDOS attacks, see Bennett Todd's excellent DDoS
whitepaper --
https://fridge.oven.com/~bet/DDoS/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:24 EST