Bugtraq mailing list archives
Re: DDOS Attack Mitigation
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Fri, 18 Feb 2000 12:35:51 -0800
I am summarizing a number of responses on this thread. Unicast Revert Path Forwarding (RPF). ip verify unicast reverse-path This command drops traffic from an interface if that interface is not the route back to the address. This in effect drops spoofed address. It requires that Cisco Express Forwarding (CEF or dCEF) be turned on. It may drop legitimate traffic on a non-stub network with asymmetric traffic. So its not much use in core routers. The command be be used when configuring an interface, not globally. Cisco Express Forwarding (CEF) is advanced Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions. Although you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3 IP backbone switching. Cisco claims Unicast RPF is not supported in IOS 11.2 or 11.3. Unicast RPF is included in IOS 12.0 on all platforms that support CEF. CEF supported platforms include in Cisco 7000 series routers equipped with RSP7000, 7200 series, 7500 series, 12000 series, and AS5800. http://www.cisco.com/warp/public/707/newsflash.html http://www-search.cisco.com/univercd/cc/td/doc/product/software/ios112/ios112p/gsr/cef.htm Comments from others: Darren Reed <avalon () coombs anu edu au> The command in valid on Cisco 1720s with IOS 12.0(3)T3 when configuring in interface mode (fast ethernet) but not globally (no CEF). Have not tested to verify it works. I'm told that it is available on "2600, 3600, 7200 and RSP images." and that the web page needs some fleshing out. Wait and see I guess. Hugh LaMaster <lamaster () nren nasa gov> : Well, it was/is in 11.1(17)CC and later CC images, which goes back about 2 or 2-1/2 years or so, and, it has been in all 12.0(x)S. I'm not sure about all other 12.0 images, since we have used 11.1(x)CC and 12.0(x)S images since I've been here - but, the web pages imply that it is in most/all 12.0 images; the -CC and -S trains are the so-called ISP versions, which transit ISPs use, and, which many campuses and Tier 2-4 providers should probably also use on their borders and aggregation routers. "Simon Clausen" <sclausen () protocol com au>: Confirmed the command is available on a Cisco 7206 under IOS 12.0(5)EX2. Jim Littlefield <little () hks com>: Concludes that "CEF is not an option in IOS (tm) 2500 Software (C2500-I-L), Version 12.0(9).", and thus Unicast RPF does not work. Nick Krassas <dreamer () darkness gr>: States the command is valid "for all 1700 cisco's ios and 2600 series.". "Jon Snyder" <jon () oit pdx edu>: Says, "On our AS5300 running a 12.0T release the command is supported.". "Bret Piatt" <dknight () csuchico edu>: States, "Its available on all the 12.x I looked on 1400, 1600, 2500, 2600, and 3600 series routers". Anyone know of similar functionality on routers from other manufacturers (e.g. Nortel, Bay, Juniper, etc)? -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
Current thread:
- Re: DDOS Attack Mitigation Elias Levy (Feb 11)
- <Possible follow-ups>
- Re: DDOS Attack Mitigation Darren Reed (Feb 15)
- Re: DDOS Attack Mitigation Stainforth, Matthew (Feb 16)
- Re: DDOS Attack Mitigation Elias Levy (Feb 18)
- Re: DDOS Attack Mitigation Randy Bush (Feb 18)