[169141] in North American Network Operators' Group
Re: Permitting spoofed traffic [Was: Re: ddos attack blog]
daemon@ATHENA.MIT.EDU (Jeff Kell)
Fri Feb 14 21:18:54 2014
Date: Fri, 14 Feb 2014 21:18:17 -0500
From: Jeff Kell <jeff-kell@utc.edu>
To: <fergdawgster@mykolab.com>
In-Reply-To: <52FECBCB.3010405@mykolab.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--CH0rOJ2t51vuhEkv0tUhnUGTxCfKgl6aD
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 2/14/2014 9:07 PM, Paul Ferguson wrote:
> Indeed -- I'm not in the business of bit-shipping these days, so I
> can't endorse or advocate any particular method of blocking spoofed IP
> packets in your gear.
If you're dead-end, a basic ACL that permits ONLY your prefixes on
egress, and blocks your prefixes on ingress, is perhaps the safest bet.=20
Strict uRPF has it's complications, and loose uRPF is almost too
forgiving. If you're providing transit, it gets much more complicated
much more quickly, but the same principles apply (they just get to be a
less-than-100% solution) :)
> I can, however, say with confidence that it is still a good idea.
> Great idea, even. :-)
Oh yeah :)
Jeff
--CH0rOJ2t51vuhEkv0tUhnUGTxCfKgl6aD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iEYEARECAAYFAlL+zm0ACgkQiwXJq373XhYktQCgj3fLr+c1sWnT2BxkqiOPGO7X
VdkAoPZn969765TxYCkpPl6lW/MrJ8/j
=LqhH
-----END PGP SIGNATURE-----
--CH0rOJ2t51vuhEkv0tUhnUGTxCfKgl6aD--
