Re: DDOS Countermeasures RFC

[jan () nil si]

> Or, perhaps just get Cisco to add an interface statement "leaf-subnet"
> that is on by default, which prevents spoofing into that interface.

int fa0/1
     ip verify unicast reverse-path

does exactly that (in 11.1CC and 12.x images). It checks for spoofs with
a lookup in the forwarding table for each SOURCE address received on that
interface.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/uni_rpf.htm

Generally, it's hard to automagically decide what a leaf subnet is, if
your router configurations are not by-the-book or there is asymmetric
routing in place.

Cheers,
Jan

Jan Bervar
Specialist za podatkovne komunikacije, CCIE #2527
Consulting Engineer
NIL Data Communications,  Einspielerjeva 6,  1000 Ljubljana,  Slovenia
Phone +386 1 4746 500       Fax +386 1 4746 501      http://www.NIL.si

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards