Network Operators and smurf

Havard.Eidnes at Havard.Eidnes at
Sat Apr 25 17:37:36 UTC 1998

> Wait; all traffic is coming in one interface. The CEF thing
> will have no effect if the spoofed source address is a real
> network.

"The CEF thing" configuration from my first message in this
thread does the following:

For each packet entering an interface with "ip verify unicast
reverse-path" turned on, the router will look up the source
address from the IP packet in the CEF table and find the
interface (or set of interfaces) it would use to route back to
the source.  If the incoming interface for the actual packet is
not among those returned by the "reverse-path" lookup, the packet
is dropped on the floor.

>From my point of view this is exactly the sort of functionality
which is needed to prevent us from being the host (originator) of
a Smurf attack (or more generally from attacks involving IP
address spoofing), as in the case of a Smurf attack packets with
the victim's source address entering from the wrong interface
will be dropped on the floor.

If you still think this doesn't help or isn't useful, I propose
that we take it to private e-mail (?).

- Håvard

More information about the NANOG mailing list