[54859] in North American Network Operators' Group
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (Chris Adams)
Sat Jan 18 23:46:35 2003
Date: Sat, 18 Jan 2003 22:45:11 -0600
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@merit.edu
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@merit.edu
In-Reply-To: <20030118195128.GC25416@aharp.is-net.depaul.edu>; from jtk@aharp.is-net.depaul.edu on Sat, Jan 18, 2003 at 01:51:28PM -0600
Errors-To: owner-nanog-outgoing@merit.edu
Once upon a time, John Kristoff <jtk@aharp.is-net.depaul.edu> said:
> It might be nice if all router vendors were able to associate the
> interface configured address(es)/nets as a variable for ingress
> filters. So for in the Cisco world, a simple example would be:
>
> interface Serial0
> ip address 192.0.2.1 255.255.255.128
> ip access-group 100 in
> !
> interface Serial1
> ip address 192.0.2.129 255.255.255.128
> ip access-group 100 in
> !
> access-list 100 permit ip $interface-routes any
> access-list 100 deny ip any any
How is this different than "ip verify unicast reverse-path" (modulo CEF
problems and bugs, which of course NEVER happen :-) )?
Multihomed customers are more interesting, but if all the single homed
customers had uRPF (or $VENDOR's equivalent) enabled it would cut down
on a significant amount of the spoofed traffic.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
