Permitting spoofed traffic [Was: Re: ddos attack blog]

Jeff Kell jeff-kell at
Sat Feb 15 02:18:17 UTC 2014

On 2/14/2014 9:07 PM, Paul Ferguson wrote:
> Indeed -- I'm not in the business of bit-shipping these days, so I
> can't endorse or advocate any particular method of blocking spoofed IP
> packets in your gear.

If you're dead-end, a basic ACL that permits ONLY your prefixes on
egress, and blocks your prefixes on ingress, is perhaps the safest bet. 
Strict uRPF has it's complications, and loose uRPF is almost too
forgiving.  If you're providing transit, it gets much more complicated
much more quickly, but the same principles apply (they just get to be a
less-than-100% solution)  :)

> I can, however, say with confidence that it is still a good idea.
> Great idea, even. :-)

Oh yeah :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the NANOG mailing list