[47338] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Mark Turpin)
Thu May 2 13:04:58 2002
Date: Thu, 2 May 2002 12:04:35 -0500
From: Mark Turpin <mark-nanog@gomez.charter.com>
To: "LeBlanc, Jason" <Jml@ebay.com>
Cc: nanog@merit.edu
Message-ID: <20020502120435.B98252@gomez.charter.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <30AEDFDE01F54A4582E1F69E78860D759F6FF8@sjc-exm-18.corp.ebay.com>; from Jml@ebay.com on Thu, May 02, 2002 at 09:41:33AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, May 02, 2002 at 09:41:33AM -0700, LeBlanc, Jason wrote something like this:
<snip>
>
> There are some limitations as to where uRPF works, SONET only on GSRs for
> example (thanks Cisco). I believe it will work on 65xx (SUP1A and SUP2 I
> think) regardless of interface type. Impact should be minimal, as it simply
> does a lookup in the CEF table, if the route isn't there it discards. Keep
> in mind this is NOT a filter, so the impact is much less, it is simply a CEF
> lookup, much more efficient than a filter. This will get rid of a HUGE
> percentage of spoofed packets that hit your network, and would also work
> pretty well if you are the source of an attack. There is some debate as to
> whether you must not have ANY RFC1918 space for this to work. We're trying
> to find this out (not a priority), if I get info I'll post.
>
hmm... either you're being extremely vague, or you misunderstand how RPF works.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt5/scdrpf.htm
Its not checking cef to see if a route is there.... its making sure that a packet
received on an interface came in on an interface that is the best return path
to reach that packet.
thereby explaining why multihomed customers will get borked in the event of using rpf.
enjoy,
-mark
--
Support your local medical examiner--die strangely.
