[27326] in North American Network Operators' Group
Re: Internet SYN Flooding, spoofing attacks
daemon@ATHENA.MIT.EDU (Mark Prior)
Sat Feb 12 07:52:20 2000
Message-ID: <200002121248.XAA02647@kuji.off.connect.com.au>
To: Paul Ferguson <ferguson@cisco.com>
Cc: Vijay Gill <wrath@cs.umbc.edu>, John Stracke <francis@ecal.com>,
IETF@ietf.org, nanog@merit.edu
In-reply-to: Your message of "Fri, 11 Feb 2000 21:09:47 CDT."
<4.2.2.20000211210210.00a4e880@lint.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2645.950359733.1@connect.com.au>
Date: Sat, 12 Feb 2000 23:18:54 +1030
From: Mark Prior <mrp@connect.com.au>
Errors-To: owner-nanog-outgoing@merit.edu
We (at least cisco, anyways) already have a knob for this:
[no] ip verify unicast reverse-path
We call it Unicast RPF.
And its well documented... NOT
and available on all routers/interfaces... NOT
If it was documented and available on things like PRIs then it would
be a lot easier to deploy. Also some of the bugs that turn off CEF
need to be addressed (or at least also cause "ip verify unicast
reverse-path" to be turned off too).
Mark.
