North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: uRPF-based Blackhole Routing System Overview
Vendor C calls it DHCP snooping and to the best of my knowledge it is only available under IOS not CatOS Scott C. McGrath On Fri, 7 Nov 2003, Greg Maxwell wrote: > > On Fri, 7 Nov 2003, Robert A. Hayden wrote: > > [snip] > > One final note. This system is pretty useless for modem pools, VPN > > concentrators, and many DHCP implementations. The dynamic IP nature of > > these setups means you will just kill legitimate traffic next time someone > > gets the IP. You can attempt to correlate your detection with the time > > they were handed out, of course, in the hopes you find them. > > Another approach to address this type of problem is the source spoofing > preventing dynamic-acls support that some vendors have been adding to > their products. I don't know if it's in anyone's production code-trains > yet. > > The basic idea is that your switch snoops DHCP traffic to the port and > generates an ACL based on the address assigned to the client. Removing a > host is as simple as configuring your DHCP server to ignore it's requests > and perhaps sending a crafty packet (custom written DECLINE) to burp the > existing ACL out of the switch. > > Vendor F calls this feature "Source IP Port Security", I'm not sure what > vendor C calls it. > > Since this is a layer 2 feature you can configure it far out on the edge > and not just at the router. > >
|