Firewall Wizards mailing list archives
Re: DDOS Countermeasures RFC
From: jan () nil si
Date: Wed, 31 Jan 2001 13:46:57 +0100
Or, perhaps just get Cisco to add an interface statement "leaf-subnet" that is on by default, which prevents spoofing into that interface.
int fa0/1 ip verify unicast reverse-path does exactly that (in 11.1CC and 12.x images). It checks for spoofs with a lookup in the forwarding table for each SOURCE address received on that interface. http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/uni_rpf.htm Generally, it's hard to automagically decide what a leaf subnet is, if your router configurations are not by-the-book or there is asymmetric routing in place. Cheers, Jan Jan Bervar Specialist za podatkovne komunikacije, CCIE #2527 Consulting Engineer NIL Data Communications, Einspielerjeva 6, 1000 Ljubljana, Slovenia Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- DDOS Countermeasures RFC Karl Wolfgang (Jan 29)
- Re: DDOS Countermeasures RFC Marcus J. Ranum (Jan 29)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 30)
- Re: DDOS Countermeasures RFC Eric Vyncke (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 30)
- <Possible follow-ups>
- Re: DDOS Countermeasures RFC kstephe6 (Jan 29)
- RE: DDOS Countermeasures RFC Kalat, Andrew (ISS Atlanta) (Jan 30)
- RE: DDOS Countermeasures RFC Scott Vowels (Jan 31)
- Re: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC Marcus J. Ranum (Jan 29)