FW: Re: Is there a line of defense against Distributed Reflective attacks?

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Once upon a time, John Kristoff <jtk at aharp.is-net.depaul.edu> said:
> It might be nice if all router vendors were able to associate the
> interface configured address(es)/nets as a variable for ingress
> filters.  So for in the Cisco world, a simple example would be:
> 
>   interface Serial0
>     ip address 192.0.2.1 255.255.255.128
>     ip access-group 100 in
>   !
>   interface Serial1
>     ip address 192.0.2.129 255.255.255.128
>     ip access-group 100 in
>   !
>   access-list 100 permit ip $interface-routes any
>   access-list 100 deny ip any any

How is this different than "ip verify unicast reverse-path" (modulo CEF
problems and bugs, which of course NEVER happen :-) )?

Multihomed customers are more interesting, but if all the single homed
customers had uRPF (or $VENDOR's equivalent) enabled it would cut down
on a significant amount of the spoofed traffic.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]