[64979] in North American Network Operators' Group
Re: uRPF-based Blackhole Routing System Overview
daemon@ATHENA.MIT.EDU (Greg Maxwell)
Fri Nov 7 14:44:00 2003
Date: Fri, 7 Nov 2003 14:29:00 -0500 (EST)
From: Greg Maxwell <gmaxwell@martin.fl.us>
To: "Robert A. Hayden" <rhayden@geek.net>
Cc: Nanog Mailing list <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.44.0311071223210.18779-100000@shell.geek.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 7 Nov 2003, Robert A. Hayden wrote:
[snip]
> One final note. This system is pretty useless for modem pools, VPN
> concentrators, and many DHCP implementations. The dynamic IP nature of
> these setups means you will just kill legitimate traffic next time someone
> gets the IP. You can attempt to correlate your detection with the time
> they were handed out, of course, in the hopes you find them.
Another approach to address this type of problem is the source spoofing
preventing dynamic-acls support that some vendors have been adding to
their products. I don't know if it's in anyone's production code-trains
yet.
The basic idea is that your switch snoops DHCP traffic to the port and
generates an ACL based on the address assigned to the client. Removing a
host is as simple as configuring your DHCP server to ignore it's requests
and perhaps sending a crafty packet (custom written DECLINE) to burp the
existing ACL out of the switch.
Vendor F calls this feature "Source IP Port Security", I'm not sure what
vendor C calls it.
Since this is a layer 2 feature you can configure it far out on the edge
and not just at the router.
