|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Possible DoS attack (?)
Hi, I'm sure you guys (girls?) are all aware of the default option for this, but we have just decided to implement 'ip route-cache same-interface' on our client interfaces since the default option on the Cisco IOS version 11.1 (x) which we use at present is 'off'. The reason this may be a problem is that the default option implies process switching for packets directed at the target address where that destination is reached via the same interface. The trade-off is that ICMP redirects work all the time when the option is disabled, but only for the first packet per destination when it is not. Our particular problem is that we have overlaid IP subnets where many of the hosts on these subnets ignore ICMP redirects. The potential DoS attack I am thinking of involves peer or transit networks forwarding packets with forged source addresses to their next-hop, such that the packets are immediately bounced back to their forged sources via their source router across the exchange, having been process switched. This problem could be avoided by fast switching the packets that are to be bounced back. This may not be a problem for routers using CEF, presuming that such routers do not use their CPUs to switch packets back towards their return-paths where this is via the same interface, but I am uncertain if this is the case. Of course, if everyone did proper source address access-lists on ingress ports, this would not be a problem (but I suspect that everyone does not). Regards, M.
|