no ip forged-source-address

Jim Forster forster at cisco.com
Thu Oct 31 07:13:34 UTC 2002


On 10/30/02 11:26 AM, "Hank Nussbacher" <hank at att.net.il> wrote:

> If every router in the world did this I could still use spoofed IP
> addresses and DDOS someone.  My little program could determine what subnet
> I am on, check what other hosts are alive on the subnet and then when it
> decides to attack, it would use some neighbor's IP.  The subnet I am on is
> a /24 and there very well may be a few dozen hosts.  I could be real
> sneaky and alter my IP randomly to be any of my neighbors for every packet
> I send out.
> 
> Traceback would get me instantly back to the offending subnet but then it
> would take a bit of digging on the network admin to track me down and
> applying RPF checking won't help.
> 
> RPF checking can only go so far.  You would need RPF checking down to the
> host level and I haven't heard anyone discuss that yet.

That's what we can do on our DOCSIS CMTS -- verify that the source IP
address is that which was issued with DHCP over the same DOCSIS SID.  It's
not possible to spoof using your neighbor's PC, even if they're on the same
subnet, as their CM has a different DOCSIS SID. Otherwise the typical RPF
checking would be pretty ineffective, with up to a 1000 or even 2000 CM's on
a single interface/subnet.

So if the operator had this feature turned on your little program would not
succeed on PC's behind cable modems.

  -- Jim




More information about the NANOG mailing list