|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Using Policy Routing to stop DoS attacks
On Wed, 14 May 2003, Lars Higham wrote: > Well, this is also from the docs: > > Unicast reverse path-forwarding (uRPF) check is a tool to reduce > forwarding of IP packets that may be spoofing an address. A uRPF check > performs a route table lookup on an IP packet's source address, and > checks the incoming interface. The router determines whether the packet > is arriving from a path that the sender would use to reach the > destination. If the packet is from a valid path, the router forwards the > packet to the destination address. If it is not from a valid path, the > router discards the packet. uRPF is supported for both Internet Protocol > Version 4 (IPv4) and Internet Protocol Version 6 (IPv6) protocol > families. > > Do you have more specific questions about the implementation? The original question was along the lines of: "On a cisco the blackholed SOURCE address will get dumped in uRPF, is that possible on the Juniper also?" > > Regards, > Lars > > -----Original Message----- > From: Christopher L. Morrow [mailto:[email protected]] > Sent: Wednesday, May 14, 2003 9:37 AM > To: Lars Higham > Cc: 'Stefan Mink'; 'Haesu'; [email protected]; [email protected] > Subject: RE: Using Policy Routing to stop DoS attacks > > > > > On Wed, 14 May 2003, Lars Higham wrote: > > > Sorry, > > > > I misunderstood the earlier question - > > > > >From the docs: > > To enable unicast RPF check, include the unicast-reverse-path > > statement at the [edit routing-options forwarding-table] hierarchy > > level: [edit] routing-options { > > forwarding-table{ > > unicast-reverse-path (active-paths | feasible-paths); > > } > > } > > > > yes, the config bits are on the website.... BUT, not the details of the > implementation :) So, does uRPF on a juniper work the same as the > cisco?? > :) > > > Regards, > > Lars Higham > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of Christopher L. Morrow > > Sent: Tuesday, May 13, 2003 2:00 AM > > To: Stefan Mink > > Cc: Haesu; [email protected]; [email protected] > > Subject: Re: Using Policy Routing to stop DoS attacks > > > > > > > > > > On Mon, 12 May 2003, Stefan Mink wrote: > > > > > On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow > > > wrote: > > > > you could hold blackhole routes for these destinations in your > > > > route > > table > > > > (local or bgp) So long as the destination for the source is bad > > (null for > > > > instance) the traffic would get dropped. I believe the proper > > > > terms > > from > > > > cisco for this are: "So long as the adjacency is invalid" ... > > > > > > is there a way to make this source-blackhole-routing work on J's too > > > > (does this work with discard-routes too)? > > > > > > > I believe someone from Juniper should likely answer this question :) > > As I understand the setup from a Cisco perspective (and someone from > > Cisco can > > correct me if I get it wrong). uRPF works in such a way that if the > > source > > address's destination has an invalid FIB entry (or no entry, or Null0) > > the > > packets are dropped. > > > > Perhaps Juniper implemented it this way? I have not checked anymore > > closely than this. Sorry. :( > > > |