Re: DDOS Attack Mitigation

[avalon () COOMBS ANU EDU AU (Darren Reed)]

In some mail from Hugh LaMaster, sie said:
[...]
> > > The simplest ingress filtering to stop IP address
> > > spoofing on a Cisco is simply to apply the following
> > > to stub network interfaces:
> > >
> > >  ip verify unicast reverse-path
> > >
> > > I assume that this is mostly what people are talking about
> > > in this context.
> >
> > How recent is this in terms of IOS releases ?
>
> Well, it was/is in 11.1(17)CC and later CC images, which
> goes back about 2 or 2-1/2 years or so, and, it has been
> in all 12.0(x)S.  I'm not sure about all other 12.0 images,
> since we have used 11.1(x)CC and 12.0(x)S images since I've been
> here - but, the web pages imply that it is in most/all 12.0 images;
> the -CC and -S trains are the so-called ISP versions,
> which transit ISPs use, and, which many campuses and Tier 2-4
> providers should probably also use on their borders and aggregation
> routers.

Hmm,from a 1720:

gw#show version
21:07:33: %SYS-5-CONFIG_I: Configured from console by console
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-Y-M), Version 12.0(3)T3,  RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Thu 15-Apr-99 13:58 by kpma
Image text-base: 0x80008088, data-base: 0x804FC75C

ROM: System Bootstrap, Version 12.0(1)XA1, RELEASE SOFTWARE (fc1)

...
gw(config)#ip verify unicast reverse-path
                   ^
% Invalid input detected at '^' marker.

Darren