[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-grip-isp-00.txt now available



>Source address filtering greatly reduces the number of spoofing-based
>attacks, and is something that can be done today.  Clearly the really
>determined attacker will find a way around it.

The only practical spoofing-based attacks I'm aware of are all
denial-of-service attacks. That's because you generally can't get
reply packets based to whatever bogus IP address you've been using.

Denial of service attacks are both harder to prevent and arguably less
serious than attacks that compromise data. I'm just not willing to make
the net less efficient and harder to use in the name of patching up one
particular denial of service attack (TCP SYN flooding) especially since
we've found several more effective ways to alleviate the problem at the
target hosts that avoid these problems.

>Another alternative is to use a friendly local SMTP relay site where the
>travelling users connect.  So far the only legitimate reason for open
>mail relays that I've heard is anonymous remailers.

Not always practical or useful. It's common, for example, for much of
a traveling user's email to be to and from internal mailing lists; in
many cases, these lists are set up to block senders from outside the
company. That means the user has to be able to access his "home" SMTP
server while he's on the road. As I said before, a good way to do this
is with a proxy TCP connection via SSH. Lacking that, he needs to reach
his relay SMTP host directly from wherever he goes.

Here's one thing we can agree on: SSH is a very useful tool for the
traveling laptop user, particularly for setting up secure TCP tunnels
for SMTP and POP that Eudora can use. If you like, I can write up
something on how to configure SSH and Eudora to work together. I
already have done this for a Qualcomm audience; I just need to make it
less specific to our setup.

>As I said to Randy, I don't think that's sufficient to get the
>operator's attention.

It certainly has been here. When things got sluggish a while back,
users complained to the operators who discovered 10K or so pieces of
relay spam sitting in the sendmail queue. That machine now blocks
relaying.  Many other sites have done the same.

Phil