|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Once upon a time, John Kristoff <[email protected]> said: > It might be nice if all router vendors were able to associate the > interface configured address(es)/nets as a variable for ingress > filters. So for in the Cisco world, a simple example would be: > > interface Serial0 > ip address 192.0.2.1 255.255.255.128 > ip access-group 100 in > ! > interface Serial1 > ip address 192.0.2.129 255.255.255.128 > ip access-group 100 in > ! > access-list 100 permit ip $interface-routes any > access-list 100 deny ip any any How is this different than "ip verify unicast reverse-path" (modulo CEF problems and bugs, which of course NEVER happen :-) )? Multihomed customers are more interesting, but if all the single homed customers had uRPF (or $VENDOR's equivalent) enabled it would cut down on a significant amount of the spoofed traffic. -- Chris Adams <[email protected]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
|