nanog mailing list archives

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

From: Chris Adams <cmadams () hiwaay net>
Date: Sat, 18 Jan 2003 22:45:11 -0600


Once upon a time, John Kristoff <jtk () aharp is-net depaul edu> said:

It might be nice if all router vendors were able to associate the
interface configured address(es)/nets as a variable for ingress
filters.  So for in the Cisco world, a simple example would be:

  interface Serial0
    ip address 192.0.2.1 255.255.255.128
    ip access-group 100 in
  !
  interface Serial1
    ip address 192.0.2.129 255.255.255.128
    ip access-group 100 in
  !
  access-list 100 permit ip $interface-routes any
  access-list 100 deny ip any any


How is this different than "ip verify unicast reverse-path" (modulo CEF
problems and bugs, which of course NEVER happen :-) )?

Multihomed customers are more interesting, but if all the single homed
customers had uRPF (or $VENDOR's equivalent) enabled it would cut down
on a significant amount of the spoofed traffic.

-- 
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Current thread:

Re: Is there a line of defense against Distributed Reflective attacks?, (continued)
- - - Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
    - Re: Is there a line of defense against Distributed Reflective attacks? Mike Hogsett (Jan 17)
    - Re: Is there a line of defense against Distributed Reflective attacks? Kurt Erik Lindqvist (Jan 19)
    - Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 17)
  - Re: Is there a line of defense against Distributed Reflective attacks? Kurt Erik Lindqvist (Jan 17)
- FW: Re: Is there a line of defense against Distributed Reflective attacks? Stewart, William C (Bill), RTLSL (Jan 17)
  - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? todd glassey (Jan 19)
  - Message not available
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Daniel Senie (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Chris Adams (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? hc (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 19)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Rob Thomas (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Avleen Vig (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 18)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Avleen Vig (Jan 19)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Johannes Ullrich (Jan 19)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Rob Thomas (Jan 19)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 20)

(Thread continues...)