|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Effective ways to deal with DDoS attacks?
In case no one has already posted it, you might check out the following document: http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf which talks about knobs for Cisco's RPF that will allow it to "work" with multihomed situations. There is also stuff in there about how to propogate a "null route" quickly for any _source_ prefix using IBGP (and no, an IGP like ISIS or OSPF won't work) and RPF. To back Jason up, Cisco's unicast RPF decides whether an interface is the "best" by doing a CEF lookup. Adi On Thu, May 02, 2002 at 10:16:55AM -0700, LeBlanc, Jason wrote: > > Thats how it we understood it to work (CEF lookup). It checks for a route > in the table, obviously any real route would be in the CEF table. I may be > wrong, but it doesn't actually send a packet to verify, the logical way to > check would be by checking CEF, as anything the router knows about that is > valid would be in CEF. If I'm misunderstanding, please do send more info. > > -----Original Message----- > From: Mark Turpin [mailto:[email protected]] > Sent: Thursday, May 02, 2002 10:05 AM > To: LeBlanc, Jason > Cc: [email protected] > Subject: Re: Effective ways to deal with DDoS attacks? > > > On Thu, May 02, 2002 at 09:41:33AM -0700, LeBlanc, Jason wrote something > like this: > <snip> > > > > There are some limitations as to where uRPF works, SONET only on GSRs for > > example (thanks Cisco). I believe it will work on 65xx (SUP1A and SUP2 I > > think) regardless of interface type. Impact should be minimal, as it > simply > > does a lookup in the CEF table, if the route isn't there it discards. > Keep > > in mind this is NOT a filter, so the impact is much less, it is simply a > CEF > > lookup, much more efficient than a filter. This will get rid of a HUGE > > percentage of spoofed packets that hit your network, and would also work > > pretty well if you are the source of an attack. There is some debate as > to > > whether you must not have ANY RFC1918 space for this to work. We're > trying > > to find this out (not a priority), if I get info I'll post. > > > > hmm... either you're being extremely vague, or you misunderstand how RPF > works. > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu > r_c/scprt5/scdrpf.htm > > Its not checking cef to see if a route is there.... its making sure that a > packet > received on an interface came in on an interface that is the best return > path > to reach that packet. > > thereby explaining why multihomed customers will get borked in the event of > using rpf. > > enjoy, > -mark > -- > Support your local medical examiner--die strangely.
|