[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: A port scan is not an Incident
From:       David Brumley <dbrumley () RTFM ! STANFORD ! EDU>
Date:       2000-09-22 20:00:40
[Download RAW message or body]

> So filter, don't complain. Or do both and expect few results for the
> complaining.

One thing I forgot to mention: for sites using router ACL's, blocking
should be the last alternative.  Why? If you implement the filter as a
router ACL, remember that the list is transversed in O(n) time, not O(log
n) time that you would expect (at least for cisco).  Also, on older
routers when a match is made on an ACL, the packet is copied to a separate
buffer instead of routed to the bit bucket.  Can you say 99% cpu usage?

This is why extensive ACL's on a router will kill it just like a DOS
attack.

Last I checked CISCO was making headway on solving the transversal time
limit nuisance. The routing to the bit bucket has already been fixed, but
you may need to upgrade (check with your friendly cisco rep).
I don't know the specifics for other router vendors.

cheers,
david
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -   dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Quidquid latine dictum sit, altum viditur.

[prev in list] [next in list] [prev in thread] [next in thread]