BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Sep 26 07:14:44 UTC 2016

On Sun, 25 Sep 2016 21:19:31 -0700, Hugo Slabbert said:

> Linux:
> From /etc/sysctl.conf:
> # Uncomment the next two lines to enable Spoof protection (reverse-path=20
> # filter)
> # Turn on Source Address Verification in all interfaces to
> # prevent some spoofing attacks
> net.ipv4.conf.default.rp_filter=1
> net.ipv4.conf.all.rp_filter=1
> Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a
> thing on Linux.

See net/ipv6/netfilter/ip6t_rpfilter.c

Also, note that a lot of net.ipv4.conf variables also apply to ipv6 (though
checking the source tree, this isn't one of them, unless it's via a  macro that
some quick grepping didn't find...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160926/56fad030/attachment.sig>

More information about the NANOG mailing list