BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

Vincent Bernat bernat at luffy.cx
Mon Sep 26 07:34:34 UTC 2016

 ❦ 26 septembre 2016 09:14 CEST, Valdis.Kletnieks at vt.edu :

>> Linux:
>> From /etc/sysctl.conf:
>> # Uncomment the next two lines to enable Spoof protection (reverse-path=20
>> # filter)
>> # Turn on Source Address Verification in all interfaces to
>> # prevent some spoofing attacks
>> net.ipv4.conf.default.rp_filter=1
>> net.ipv4.conf.all.rp_filter=1

Only "all" is needed since the kernel will use the max of all and the
current interface value.

>> Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a
>> thing on Linux.
> See net/ipv6/netfilter/ip6t_rpfilter.c
> Also, note that a lot of net.ipv4.conf variables also apply to ipv6 (though
> checking the source tree, this isn't one of them, unless it's via a  macro that
> some quick grepping didn't find...)

Yes, it doesn't apply. In Linux, there is no such thing as feature
parity for IPv6. davem said in the past that he didn't want this feature
in IPv6 and was planning to remove it in IPv4 (but I think this will
never happen):

I am using this instead (assuming ip46tables is iptables + ip6tables):

ip46tables -t raw -N RPFILTER
ip46tables -t raw -A RPFILTER -m rpfilter -j RETURN
iptables   -t raw -A RPFILTER -d -p udp --sport bootpc --dport bootps -j RETURN
ip6tables  -t raw -A RPFILTER -m rpfilter --accept-local -m addrtype --dst-type MULTICAST -j DROP
ip46tables -t raw -A RPFILTER -m limit --limit 5/s --limit-burst 5 \
           -j NFLOG --nflog-group 99 \
           --nflog-prefix "NF: rpfilter: "
ip46tables -t raw -A RPFILTER -j DROP
ip46tables -t raw -A PREROUTING -j RPFILTER
Use data arrays to avoid repetitive control sequences.
            - The Elements of Programming Style (Kernighan & Plauger)

More information about the NANOG mailing list