[13869] in bugtraq
Re: DDOS Attack Mitigation
daemon@ATHENA.MIT.EDU (Bennett Todd)
Thu Feb 17 02:02:43 2000
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="5Y5y2FX8vnqwSxRu"
Message-Id: <20000215191248.B11665@rahul.net>
Date: Tue, 15 Feb 2000 19:12:48 -0500
Reply-To: Bennett Todd <bet@RAHUL.NET>
From: Bennett Todd <bet@RAHUL.NET>
X-To: Julien Nadeau <julien@CSOFT.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38A84CF9.9D827F49@csoft.net>; from julien@CSOFT.NET on Mon,
Feb 14, 2000 at 02:44:09PM -0400
--5Y5y2FX8vnqwSxRu
Content-Type: text/plain; charset=us-ascii
2000-02-14-13:44:09 Julien Nadeau:
> A solution would be for kernels to provide an option to keep a
> local IP lookup table which could be simply based on network
> interfaces; of course, given an stable implementation, this option
> enabled by default would take care of spoofing problems for admins
> who don't think much about what they're sending out -- i mean,
> they're big part of the problem.
Linux already has such an option; just go
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
and the routing logic will drop packets with forged source addrs.
It's not on by default. Yet.
I theorize that this will be an option, turned on by default,
on most or all routers, before much longer. Kinda like how MTAs
switched to disabling open relaying by default when the spammers got
to be too much of a nuisance.
-Bennett
--5Y5y2FX8vnqwSxRu
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4qeuAL6KAps40sTYRAbUNAJ9aeX/w1sGVf5pb95urit1rky3VQQCgiey9
Cp3UuIGlj6PaHFp/jfUo6Ls=
=1n5d
-----END PGP SIGNATURE-----
--5Y5y2FX8vnqwSxRu--
