Permitting spoofed traffic [Was: Re: ddos attack blog]

• Previous message (by thread): Permitting spoofed traffic [Was: Re: ddos attack blog]
• Next message (by thread): Permitting spoofed traffic [Was: Re: ddos attack blog]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/14/2014 9:07 PM, Paul Ferguson wrote:
> Indeed -- I'm not in the business of bit-shipping these days, so I
> can't endorse or advocate any particular method of blocking spoofed IP
> packets in your gear.

If you're dead-end, a basic ACL that permits ONLY your prefixes on
egress, and blocks your prefixes on ingress, is perhaps the safest bet. 
Strict uRPF has it's complications, and loose uRPF is almost too
forgiving.  If you're providing transit, it gets much more complicated
much more quickly, but the same principles apply (they just get to be a
less-than-100% solution)  :)

> I can, however, say with confidence that it is still a good idea.
> Great idea, even. :-)

Oh yeah :)

Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140214/7b004f86/attachment.sig>

• Previous message (by thread): Permitting spoofed traffic [Was: Re: ddos attack blog]
• Next message (by thread): Permitting spoofed traffic [Was: Re: ddos attack blog]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]