Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDOS Attack Mitigation

From: bet () RAHUL NET (Bennett Todd)
Date: Tue, 15 Feb 2000 19:12:48 -0500

2000-02-14-13:44:09 Julien Nadeau:

A solution would be for kernels to provide an option to keep a
local IP lookup table which could be simply based on network
interfaces; of course, given an stable implementation, this option
enabled by default would take care of spoofing problems for admins
who don't think much about what they're sending out -- i mean,
they're big part of the problem.


Linux already has such an option; just go

        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $f
        done

and the routing logic will drop packets with forged source addrs.
It's not on by default. Yet.

I theorize that this will be an option, turned on by default,
on most or all routers, before much longer. Kinda like how MTAs
switched to disabling open relaying by default when the spammers got
to be too much of a nuisance.

-Bennett

<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: