ip verify unicast reverse-path
This command drops traffic from an interface if that interface
is not the route back to the address.
^ preferred best
and therein lies the rub
randy
Linux already has such an option; just go
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 $f
done
and the routing logic will drop packets with forged source addrs.
It's not on by default. Yet.
Julien Nadeau writes:
I must be
I am summarizing a number of responses on this thread.
Unicast Revert Path Forwarding (RPF).
ip verify unicast reverse-path
This command drops traffic from an interface if that interface
is not the route back to the address. This in effect drops
spoofed address. It requires that Cisco Express
This is a complete lie.
All modern "terminal servers" (you know, integrated modems and dialup server
hardware) including the Cisco As5300 that you mention are fully capable of
filtering traffic based on source address with no real impact on performance.
There is absolutely no excuse for an ISP
Hello all,
On Tue, 15 Feb 2000, Darren Reed wrote:
It's good to see that ISP's around the world prefer to have $$ in the bank
rather than a secure Internet. Little wonder that hacking is so prevalent.
I'd like to add that we (as a rather small german ISP) filter source
addresses too, at
Alan Brown wrote:
On Sun, 13 Feb 2000, Darren Reed wrote:
You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons".
To be fair, if you do this on most terminal servers (eg, Cisco
In some mail from Hugh LaMaster, sie said:
[...]
The simplest ingress filtering to stop IP address
spoofing on a Cisco is simply to apply the following
to stub network interfaces:
ip verify unicast reverse-path
I assume that this is mostly what people are talking about
in
On Tue, 15 Feb 2000, Alan Brown wrote:
On Sun, 13 Feb 2000, Darren Reed wrote:
You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons".
To be fair, if you do this on most
]
Subject: Re: DDOS Attack Mitigation
Ingress/egress filters can be problematic, its not just a
performance
problem. With upstream providers being real harsh on handing out IP
ranges, and insisting that every IP subnet be used regardless
of how many
criss cross routes we have to put
"Alan" == Alan Brown [EMAIL PROTECTED] writes:
Alan On Sun, 13 Feb 2000, Darren Reed wrote:
You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons".
Alan To be fair, if you do this
2000-02-14-13:44:09 Julien Nadeau:
A solution would be for kernels to provide an option to keep a
local IP lookup table which could be simply based on network
interfaces; of course, given an stable implementation, this option
enabled by default would take care of spoofing problems for admins
In some mail from Andrzej Bialecki, sie said:
On Sun, 13 Feb 2000, Darren Reed wrote:
In some mail from Elias Levy, sie said:
[...]
Network Ingress Filtering:
--
All network access providers should implement network ingress filtering
to stop any of
In some mail from Alan Brown, sie said:
On Sun, 13 Feb 2000, Darren Reed wrote:
You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons".
To be fair, if you do this on most
You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons". They've had the ability to do it for
years and in doing so would seriously reduce the number and possibility
of "spoofing"
Ingress/egress filters can be problematic, its not just a performance
problem. With upstream providers being real harsh on handing out IP
ranges, and insisting that every IP subnet be used regardless of how many
criss cross routes we have to put in our many routers to do it, the access
lists
On Sun, Feb 13, 2000 at 07:50:17PM +1100, Darren Reed wrote:
You know if anyone was of a mind to find someone at fault over this,
I'd start pointing the finger at ISP's who haven't been doing this
due to "performance reasons". They've had the ability to do it for
years and in doing so would
Unless you lived under a rock for the past week you've heard of the
distributed denial of service attacks (DDOS) against some of the
top Internet web sites. In particular these attacks were of the
bandwidth consumption type. Some of the network providers involved
claim to have been upwards of 1
17 matches
Mail list logo