nanog mailing list archives
RE: Effective ways to deal with DDoS attacks?
From: "Gironda, Andre" <agironda () ebay com>
Date: Fri, 3 May 2002 12:32:39 -0700
On 5/3/02 12:05 PM, "Stephen Griffin" <stephen.griffin () rcn com> wrote:
Most Cisco boxes have 3 related modes of uRPF: 1) pure RPF, if forwarding path back to source doesn't go via interface packet received from, then dump. I believe, but am not positive, that it will handle equal-cost-multipath ok in situations where that exists. 2) acl exceptions, if source matches the acl, allow the packet 3) not-so-pure RPF, if there is _any_ forwarding path back to the source via _any_ interface, then accept.
Speaking of this, has anyone seen Barry Greene's and Philip Smith's new book, "Cisco ISP Essentials"? It covers the uRPF strict mode as well using uRPF with multihoming examples, etc. I wish we could hear from them about it on this list. Actually, I'd rather hear it from people using it. Are there any configs out there that show uRPF with multihoming examples especially in ISP POP or IDC's? Let's say you have multiple ECMP on the back side and multiple transit providers and peers taking a mix of full and peering routes at the edge -- what would that look like?
for single-homed customers, simple uRPF for multihomed customers, acl exceptions based upon their registered IRR-policy, since the customer should already be registering in the IRR you have a list of all networks reachable via the customer, regardless of the actual real-time announcements or policy applications (prepending, localpref tweaks, etc) for peers that are clued-in, again acl exceptions based upon the peers registered policy for non-clued peers, accept based upon any available forwarding path [hopefully, by the 100th time you beat on the peer about spoofed crud coming from them, they'll get religion and register, since you'll have less overall spoofing to track down, you can devote it to slapping them around more]
ACL exceptions based on IRR policy? So you are using RtConfig or similar scripts to build your uRPF rules? Can you clarify this a bit more, or give some examples? On-list or off-list is fine with me. Thanks -dre
Current thread:
- Re: Effective ways to deal with DDoS attacks?, (continued)
- Message not available
- Re: Effective ways to deal with DDoS attacks? Lincoln Dale (May 05)
- RE: Effective ways to deal with DDoS attacks? Livio Ricciulli (May 02)
- RE: Effective ways to deal with DDoS attacks? LeBlanc, Jason (May 02)
- RE: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 02)
- RE: Effective ways to deal with DDoS attacks? LeBlanc, Jason (May 02)
- Re: Effective ways to deal with DDoS attacks? Aditya (May 02)
- Re: Effective ways to deal with DDoS attacks? Mark Turpin (May 02)
- RE: Effective ways to deal with DDoS attacks? LeBlanc, Jason (May 02)
- RE: Effective ways to deal with DDoS attacks? LeBlanc, Jason (May 02)
- RE: Effective ways to deal with DDoS attacks? LeBlanc, Jason (May 02)
- RE: Effective ways to deal with DDoS attacks? Gironda, Andre (May 03)
- Re: Effective ways to deal with DDoS attacks? vern (May 07)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 07)
- Re: Effective ways to deal with DDoS attacks? E.B. Dreger (May 07)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 07)
- Re: Effective ways to deal with DDoS attacks? vern (May 07)
- Re: Effective ways to deal with DDoS attacks? vern (May 07)
- Re: Effective ways to deal with DDoS attacks? E.B. Dreger (May 07)