North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: uRPF-based Blackhole Routing System Overview
On Fri, 7 Nov 2003, Robert A. Hayden wrote: [snip] > One final note. This system is pretty useless for modem pools, VPN > concentrators, and many DHCP implementations. The dynamic IP nature of > these setups means you will just kill legitimate traffic next time someone > gets the IP. You can attempt to correlate your detection with the time > they were handed out, of course, in the hopes you find them. Another approach to address this type of problem is the source spoofing preventing dynamic-acls support that some vendors have been adding to their products. I don't know if it's in anyone's production code-trains yet. The basic idea is that your switch snoops DHCP traffic to the port and generates an ACL based on the address assigned to the client. Removing a host is as simple as configuring your DHCP server to ignore it's requests and perhaps sending a crafty packet (custom written DECLINE) to burp the existing ACL out of the switch. Vendor F calls this feature "Source IP Port Security", I'm not sure what vendor C calls it. Since this is a layer 2 feature you can configure it far out on the edge and not just at the router.
|