[56977] in North American Network Operators' Group
RE: Using Policy Routing to stop DoS attacks
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Tue Mar 25 12:03:11 2003
Date: Tue, 25 Mar 2003 17:00:33 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Jim Deleskie <jdeleski@rci.rogers.com>
Cc: "'jtk@aharp.is-net.depaul.edu'" <jtk@aharp.is-net.depaul.edu>,
<nanog@merit.edu>
In-Reply-To: <6F0C08B425B2D611ABB40003474D42DF740640@rssesnext.rogers.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 25 Mar 2003, Jim Deleskie wrote:
> >If you fooled the router into thinking that the reverse path for the
> >source is on another another interface and then used strict unicast RPF
> >checking, that may accomplish what you want without using ACLs. I don't
> >know what impact it would have on your CPU however, you'll have to
> >investigate or provide more details.
>
>
> However you'd also risk loosing any traffic that was asymmetric in nature.
not necessarily, implement uRPF 'loose check' so long as the source wasn't
rfc1918 or had an invalid adjacency things should work... BUT keep in mind
how the uRPF is processed on the platform in question :) just turning it
on might tip the 5500 over.
