RE: Using Policy Routing to stop DoS attacks

["Christopher L. Morrow" <chris () UU NET>]

On Wed, 14 May 2003, Lars Higham wrote:

> Well, this is also from the docs:
>
> Unicast reverse path-forwarding (uRPF) check is a tool to reduce
> forwarding of IP packets that may be spoofing an address. A uRPF check
> performs a route table lookup on an IP packet's source address, and
> checks the incoming interface. The router determines whether the packet
> is arriving from a path that the sender would use to reach the
> destination. If the packet is from a valid path, the router forwards the
> packet to the destination address. If it is not from a valid path, the
> router discards the packet. uRPF is supported for both Internet Protocol
> Version 4 (IPv4) and Internet Protocol Version 6 (IPv6) protocol
> families.
>
> Do you have more specific questions about the implementation?

The original question was along the lines of: "On a cisco the blackholed
SOURCE address will get dumped in uRPF, is that possible on the Juniper
also?"

> Regards,
> Lars
>
> -----Original Message-----
> From: Christopher L. Morrow [mailto:chris () UU NET]
> Sent: Wednesday, May 14, 2003 9:37 AM
> To: Lars Higham
> Cc: 'Stefan Mink'; 'Haesu'; jtk () aharp is-net depaul edu; nanog () merit edu
> Subject: RE: Using Policy Routing to stop DoS attacks
>
>
>
>
> On Wed, 14 May 2003, Lars Higham wrote:
>
> > Sorry,
> >
> > I misunderstood the earlier question -
> >
> > > From the docs:
> > To enable unicast RPF check, include the unicast-reverse-path
> > statement at the [edit routing-options forwarding-table] hierarchy
> > level: [edit] routing-options {
> >     forwarding-table{
> >             unicast-reverse-path (active-paths | feasible-paths);
> >             }
> >     }
>
> yes, the config bits are on the website.... BUT, not the details of the
> implementation :) So, does uRPF on a juniper work the same as the
> cisco??
> :)
>
> > Regards,
> > Lars Higham
> >
> > -----Original Message-----
> > From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf
> > Of Christopher L. Morrow
> > Sent: Tuesday, May 13, 2003 2:00 AM
> > To: Stefan Mink
> > Cc: Haesu; jtk () aharp is-net depaul edu; nanog () merit edu
> > Subject: Re: Using Policy Routing to stop DoS attacks
> >
> >
> >
> >
> > On Mon, 12 May 2003, Stefan Mink wrote:
> >
> > > On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow
> > > wrote:
> > > > you could hold blackhole routes for these destinations in your
> > > > route
> > table
> > > > (local or bgp) So long as the destination for the source is bad
> > (null for
> > > > instance) the traffic would get dropped. I believe the proper
> > > > terms
> > from
> > > > cisco for this are: "So long as the adjacency is invalid" ...
> > >
> > > is there a way to make this source-blackhole-routing work on J's too
>
> > > (does this work with discard-routes too)?
> >
> > I believe someone from Juniper should likely answer this question :)
> > As I understand the setup from a Cisco perspective (and someone from
> > Cisco can
> > correct me if I get it wrong). uRPF works in such a way that if the
> > source
> > address's destination has an invalid FIB entry (or no entry, or Null0)
> > the
> > packets are dropped.
> >
> > Perhaps Juniper implemented it this way? I have not checked anymore
> > closely than this. Sorry. :(