[24659] in North American Network Operators' Group
Re: SYN spoofing and Ciscos crashing
daemon@ATHENA.MIT.EDU (jlewis@lewis.org)
Wed Jul 28 16:43:28 1999
Date: Wed, 28 Jul 1999 16:42:17 -0400 (EDT)
From: jlewis@lewis.org
To: "bryan s. blank" <bryan@supernet.net>
Cc: Daniel Senie <dts@senie.com>, jshaw@insync.net, nanog@merit.edu
In-Reply-To: <199907281554.LAA15425@supernet.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 28 Jul 1999, bryan s. blank wrote:
>
> % ip verify unicast reverse-path
> %
> % and according to Paul Ferguson (co-author of RFC 2267) it's in use by
> % many ISPs. Apparently this is very-low overhead. Paul has also indicated
> % the use of extended access lists on Cisco routers is very low overhead,
> % especially on routers using distributed express forwarding.
>
> while i hate to question mr. ferguson, it's my understanding
> that many isps have found this feature to be unusable due to
> network design.
I just took out a 7206 by applying ip verify unicast reverse-path to a T3
link on a PA2T3 and attempting to spoof packets from the POP on the other
end of that T3.
The 7206 is running c7200-inu-mz.111-25.CC. Fortunately, it rebooted
after it crashed.
System restarted by bus error at PC 0x605F88CC, address 0x10024 at
20:29:49 UTC Wed Jul 28 1999
This router had been up over 8 weeks without a crash (ever since Cisco
replaced the previous 7206 in this POP that was either posessed or a
lemon). The memory is Cisco memory. All the parts came directly from
Cisco.
Is this known to be unstable in 111-25.CC? Is it known to be stable in
some other release that supports the PAT3, PA2T3, and PA-MCT3?
----don't waste your cpu, crack rc5...www.distributed.net team enzo---
Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or
System Administrator | nestea'd...whatever it takes
Atlantic Net | to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________
