Re: DDOS Attack Mitigation

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

I am summarizing a number of responses on this thread.

Unicast Revert Path Forwarding (RPF).

ip verify unicast reverse-path

This command drops traffic from an interface if that interface
is not the route back to the address. This in effect drops
spoofed address. It requires that Cisco Express Forwarding (CEF or dCEF)
be turned on. It may drop legitimate traffic on a non-stub network with
asymmetric traffic. So its not much use in core routers.

The command be be used when configuring an interface, not globally.

Cisco Express Forwarding (CEF) is advanced Layer 3 IP switching technology.
CEF optimizes network performance and scalability for networks with large
and dynamic traffic patterns, such as the Internet, on networks characterized
by intensive Web-based applications, or interactive sessions.
Although you can use CEF in any part of a network, it is designed for
high-performance, highly resilient Layer 3 IP backbone switching.

Cisco claims Unicast RPF is not supported in IOS 11.2 or 11.3. Unicast RPF
is included in IOS 12.0 on all platforms that support CEF.
CEF supported platforms include in Cisco 7000 series routers equipped with
RSP7000, 7200 series, 7500 series, 12000 series, and AS5800.

http://www.cisco.com/warp/public/707/newsflash.html
http://www-search.cisco.com/univercd/cc/td/doc/product/software/ios112/ios112p/gsr/cef.htm

Comments from others:

Darren Reed <avalon () coombs anu edu au>

The command in valid on Cisco 1720s with IOS 12.0(3)T3 when configuring
in interface mode (fast ethernet) but not globally (no CEF). Have not
tested to verify it works.

I'm told that it is available on "2600, 3600, 7200 and RSP images."
and that the web page needs some fleshing out.  Wait and see I guess.

Hugh LaMaster <lamaster () nren nasa gov> :

Well, it was/is in 11.1(17)CC and later CC images, which
goes back about 2 or 2-1/2 years or so, and, it has been
in all 12.0(x)S.  I'm not sure about all other 12.0 images,
since we have used 11.1(x)CC and 12.0(x)S images since I've been
here - but, the web pages imply that it is in most/all 12.0 images;
the -CC and -S trains are the so-called ISP versions,
which transit ISPs use, and, which many campuses and Tier 2-4
providers should probably also use on their borders and aggregation
routers.

"Simon Clausen" <sclausen () protocol com au>:

Confirmed the command is available on a Cisco 7206 under IOS 12.0(5)EX2.

Jim Littlefield <little () hks com>:

Concludes that "CEF is not an option in IOS (tm) 2500 Software (C2500-I-L),
Version 12.0(9).", and thus Unicast RPF does not work.

Nick Krassas <dreamer () darkness gr>:

States the command is valid "for all 1700 cisco's ios and 2600 series.".

"Jon Snyder" <jon () oit pdx edu>:

Says, "On our AS5300 running a 12.0T release the command is supported.".

"Bret Piatt" <dknight () csuchico edu>:

States, "Its available on all the 12.x I looked on 1400, 1600, 2500, 2600,
and 3600 series routers".

Anyone know of similar functionality on routers from other manufacturers
(e.g. Nortel, Bay, Juniper, etc)?


--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/