Effective ways to deal with DDoS attacks?

Mark Turpin mark at gomez.charter.com
Thu May 2 18:25:26 UTC 2002


On Thu, May 02, 2002 at 10:16:55AM -0700, LeBlanc, Jason wrote something like this:
> Thats how it we understood it to work (CEF lookup).  It checks for a route
> in the table, obviously any real route would be in the CEF table.  I may be
> wrong, but it doesn't actually send a packet to verify, the logical way to
> check would be by checking CEF, as anything the router knows about that is
> valid would be in CEF.  If I'm misunderstanding, please do send more info.

I think a typo on my part has led to misunderstanding even more.  However, the thread's 
getting hot, so I'm about ready to part ways with it.

Regarding my statements, I was not inferring a packet be sent off to a host, or
anything of that nature.  What I'm referring to is a simple lookup [we now agree by CEF]
to verify that the interface a packet was received on was actually the interface
CEF would use to go back to the source of that packet. (I forgot source last time)

If you can tweak rpf now to support multihoming, woohoo.
And yes, depending on where you implement rpf the routing table comes into play.
big woop.

Earlier LeBlanc, Jason wrote something like this:
> There are some limitations as to where uRPF works, SONET only on GSRs for
> example (thanks Cisco).  I believe it will work on 65xx (SUP1A and SUP2 I
> think) regardless of interface type.  Impact should be minimal, as it simply     
> does a lookup in the CEF table, if the route isn't there it discards.

That's what prompted me to even reply in the first place was noticing the fact
you stated rpf only worked on pos interfaces on gsrs and that it did a simple route 
lookup.  Both of which I disagree with.  I've already stated what its looking
for in the fib, and its *not* whether its 'there or not'.

i'm over it, so have a good day...
-mark
-- 
   Why is it considered necessary to nail down the lid of a coffin?



More information about the NANOG mailing list