North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Actions to quiet the Smurf amplifiers?
ingress filtering .. that's a novel idea :-) -danny Phil Howard wrote: > >The method involves a software design change in the routers. For each >arriving packet, in addition to doing a routing lookup based on the >destination, also do a routing lookup based on the source address. >If the interface the packet arrived on is NOT in the list of addresses >that routing back to the source suggests, then discard the packet. >That will drop the majority of packets before they even read smurf >amplifiers, as they are generally forge-sourced to the ultimate target >of the attack. The first router hop with this implemented where the >source address is invalid will stop the attack. The core backbone >probably does not need to have this enabled, but all the leafs from it >should to ensure no forged sources can get through.
|