nanog mailing list archives
Re: Effective ways to deal with DDoS attacks?
From: Richard A Steenbergen <ras () e-gerbil net>
Date: Thu, 2 May 2002 13:22:48 -0400
On Thu, May 02, 2002 at 12:04:35PM -0500, Mark Turpin wrote:
On Thu, May 02, 2002 at 09:41:33AM -0700, LeBlanc, Jason wrote something like this: <snip>There are some limitations as to where uRPF works, SONET only on GSRs for example (thanks Cisco). I believe it will work on 65xx (SUP1A and SUP2 I think) regardless of interface type. Impact should be minimal, as it simply does a lookup in the CEF table, if the route isn't there it discards. Keep in mind this is NOT a filter, so the impact is much less, it is simply a CEF lookup, much more efficient than a filter. This will get rid of a HUGE percentage of spoofed packets that hit your network, and would also work pretty well if you are the source of an attack. There is some debate as to whether you must not have ANY RFC1918 space for this to work. We're trying to find this out (not a priority), if I get info I'll post.
hmm... either you're being extremely vague, or you misunderstand how RPF works. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt5/scdrpf.htm Its not checking cef to see if a route is there.... its making sure that a packet received on an interface came in on an interface that is the best return path to reach that packet. thereby explaining why multihomed customers will get borked in the event of using rpf.
RPF works by matching the source address of the packet against the CEF table, in addition to the normal match against the destination address. There are multiple modes of operation, ranging from "is there a route for the source address to the specific interface it come in on" to "is there a route to the source address for ANY interface on the box" The former is used to stop your single homed customers from spoofing wildly into the internet. The latter is usually used as a stopgap measure to limit the number of spoofed packets coming into your network via transits. The number you'd expect to filter is 50%, assuming the attacker in question is using an evenly distributing random() function. -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Current thread:
- Re: Effective ways to deal with DDoS attacks?, (continued)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 02)
- Re: Effective ways to deal with DDoS attacks? Hank Nussbacher (May 02)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 02)
- Re: Effective ways to deal with DDoS attacks? E.B. Dreger (May 02)
- Re: Effective ways to deal with DDoS attacks? E.B. Dreger (May 02)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 02)
- Re: Effective ways to deal with DDoS attacks? Rubens Kuhl Jr. (May 03)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 02)
- RE: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 02)
- Re: Effective ways to deal with DDoS attacks? Mark Turpin (May 02)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 02)
- Re: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 02)
- RE: Effective ways to deal with DDoS attacks? Barry Raveendran Greene (May 03)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 03)
- Re: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 03)
- /31 mask address Toan Do (May 03)
- Re: /31 mask address Simon Lockhart (May 03)
- Re: /31 mask address Andre Chapuis (May 03)
- Re: /31 mask address Simon Lockhart (May 03)
- Re: /31 mask address Robert E. Seastrom (May 03)