[4673] in North American Network Operators' Group
Re: SYN flood messages flooding my mailbox
daemon@ATHENA.MIT.EDU (Curtis Villamizar)
Tue Sep 24 12:43:32 1996
To: Vadim Antonov <avg@quake.net>
cc: curtis@ans.net, nanog@merit.edu
Reply-To: curtis@ans.net
In-reply-to: Your message of "Tue, 24 Sep 1996 01:03:25 PDT."
<199609240803.BAA03576@quest.quake.net>
Date: Tue, 24 Sep 1996 12:30:17 -0400
From: Curtis Villamizar <curtis@ans.net>
In message <199609240803.BAA03576@quest.quake.net>, Vadim Antonov writes:
> >Basing this on the AdjRibIn is a more work than just reversing the
> >sense of the Fib but it does cover quite a few more cases. Though not
> >all of them.
>
> No, not of course; but more than enough to be practical. A _lot_ more
> practical than manually (or semi-automatically) maintained access lists
> which do not provide any "visible" benefit.
>
> >The transit providers still need to be able to trace attacks after the
> >fact since there is no filter that covers these cases...
>
> Absolutely. When other things do not help :)
>
> >and filters at
> >the fringes will be spotty deplomyments.
>
> That's why i want reverse-route verification to be _default_ behaviour
> of routers. A person who knows how to use asymmetric routing would
> know how to turn the feature off. A person who is clueless or simply
> doesn't care will leave default as is.
>
> --vadim
Vadim,
I guess you missed what I proposed earlier. It was similar though the
Fib was used so it only worked for single homed connections. The
advantage was simplicity. All that needed to be changed was the
forwarding code. Your proposal involves the AdjRibIn which would
require BGP code changing flags on the forwarding entries. A bit more
work for the router developers but covers more cases. We both
proposed turning this on by default with cluefull people who knew
routing would be assymetric turning it off.
Curtis
