2000-02-14-13:44:09 Julien Nadeau:
> A solution would be for kernels to provide an option to keep a
> local IP lookup table which could be simply based on network
> interfaces; of course, given an stable implementation, this option
> enabled by default would take care of spoofing problems for admins
> who don't think much about what they're sending out -- i mean,
> they're big part of the problem.
Linux already has such an option; just go
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
and the routing logic will drop packets with forged source addrs.
It's not on by default. Yet.
I theorize that this will be an option, turned on by default,
on most or all routers, before much longer. Kinda like how MTAs
switched to disabling open relaying by default when the spammers got
to be too much of a nuisance.
-Bennett
PGP signature- DDOS Attack Mitigation Elias Levy
- Re: DDOS Attack Mitigation Darren Reed
- Re: DDOS Attack Mitigation Alan Brown
- Re: DDOS Attack Mitigation Darren Reed
- Re: DDOS Attack Mitigation Chris Cappuccio
- Re: DDOS Attack Mitigation John Edwards
- Re: DDOS Attack Mitigation Ryan Russell
- Re: DDOS Attack Mitigation Carson Gaspar
- Re: DDOS Attack Mitigation Julien Nadeau
- rp_filter? (was Re: DDOS Attack Mitigatio... Bennett Todd
- rp_filter? (was Re: DDOS Attack Mitig... Julien Nadeau
- Re: DDOS Attack Mitigation Homer Wilson Smith
- Re: DDOS Attack Mitigation John Payne
- Re: DDOS Attack Mitigation Andrzej Bialecki
- Re: DDOS Attack Mitigation Darren Reed
- Re: DDOS Attack Mitigation Andreas Busse
- Re: DDOS Attack Mitigation Elias Levy
- Re: DDOS Attack Mitigation Darren Reed
- Re: DDOS Attack Mitigation Stainforth, Matthew
- Re: DDOS Attack Mitigation Elias Levy
