Bugtraq mailing list archives
Re: DDOS Attack Mitigation
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 16 Feb 2000 12:50:27 +1100
In some mail from Hugh LaMaster, sie said: [...]
The simplest ingress filtering to stop IP address spoofing on a Cisco is simply to apply the following to stub network interfaces: ip verify unicast reverse-path I assume that this is mostly what people are talking about in this context.How recent is this in terms of IOS releases ?Well, it was/is in 11.1(17)CC and later CC images, which goes back about 2 or 2-1/2 years or so, and, it has been in all 12.0(x)S. I'm not sure about all other 12.0 images, since we have used 11.1(x)CC and 12.0(x)S images since I've been here - but, the web pages imply that it is in most/all 12.0 images; the -CC and -S trains are the so-called ISP versions, which transit ISPs use, and, which many campuses and Tier 2-4 providers should probably also use on their borders and aggregation routers.
Hmm,from a 1720: gw#show version 21:07:33: %SYS-5-CONFIG_I: Configured from console by console Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-Y-M), Version 12.0(3)T3, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Thu 15-Apr-99 13:58 by kpma Image text-base: 0x80008088, data-base: 0x804FC75C ROM: System Bootstrap, Version 12.0(1)XA1, RELEASE SOFTWARE (fc1) ... gw(config)#ip verify unicast reverse-path ^ % Invalid input detected at '^' marker. Darren
Current thread:
- Re: DDOS Attack Mitigation Elias Levy (Feb 11)
- <Possible follow-ups>
- Re: DDOS Attack Mitigation Darren Reed (Feb 15)
- Re: DDOS Attack Mitigation Stainforth, Matthew (Feb 16)
- Re: DDOS Attack Mitigation Elias Levy (Feb 18)
- Re: DDOS Attack Mitigation Randy Bush (Feb 18)