From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Wed May 14 2003 - 07:04:52 MDT
Spudboy100@aol.com wrote,
>
> <http://news.com.com/2100-1009_3-1001200.html?tag=fd_top>
> Moreover, the proposal shifts the onus for fixing Internet
> security problems from the victim to the attacker's ISP
> because such attacks result in traffic from parts of the
> Internet close to the attacker being blocked by the victim’s server.
I'm not sure how useful this is.
You can't depend on the attacker's ISP to help prevent the attack. They may be owned by the attacker or they may be under the control of the attacker. And from a security point-of-view, your security cannot rely on third-parties doing the right thing for you. If you can't do it yourself or verify that it is being done right, you don't have security assurance that your process is going to protect you at any given time.
Furthermore, we already have easier techniques for preventing all address spoofing, but ISP refuse to cooperate. That simple method is to filter all packets to limit them to their own legal address. That is, simply don't allow ISP customers to use IP addresses outside their legal range. For example, AOL could limit all outgoing traffic to using AOL source ranges. Nobody from AOL could spoof traffic from any other website. Unfortunately, most ISPs are too lazy, too stupid, or too cheap to expend any resources to control their own users or to enforce the IP protocol itself. I doubt they would do so to implement a more complicated, non-standard protocol hack. If all routers on the Internet would simply enforce legal address ranges for their particular subnet, no spoofing could ever traverse the Internet outside of local segments.
Also from a security perspective, I question the concept of storing data inside the IP packet that would later be used to decide if the packets should be accepted or not. This is the whole problem with packet forgery, that people fake the data inside the packets to make them look legitimate when they aren't. This new field does not seem to have any special protections to keep it from being forged any more than IP addresses are currently forged today. It simply moves the forgery target to a different field within the packet data. But there is not additional encryption or protection for this new field. Even the fact that it should be put their by ISP routers doesn't help. E-mail paths and other packet data are supplied by routers, but this doesn't prevent forgery. Forgers just fake their own routing data into the packet as it is created to appear that it has already gone through another ISP or router and already has the fields in place.
-- Harvey Newstrom, CISSP, IAM, GSEC, IBMCP <www.HarveyNewstrom.com> <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Wed May 14 2003 - 07:18:46 MDT