nanog mailing list archives
Re: Effective ways to deal with DDoS attacks?
From: Stephen Griffin <stephen.griffin () rcn com>
Date: Fri, 3 May 2002 15:05:11 -0400 (EDT)
In the referenced message, Eric Gauthier said: <snip>
Another limitation that we've found with uRPF is that it doesn't live well with multihomed systems (i.e. a host with two NIC's - each on a different subnet) because of the way most OS'es handle their default gateways. For anyone who is interested in our experience, drop me a note off list. If you have a solution for this multihoming problem, PLEASE email me off-list. Eric :)
Most Cisco boxes have 3 related modes of uRPF: 1) pure RPF, if forwarding path back to source doesn't go via interface packet received from, then dump. I believe, but am not positive, that it will handle equal-cost-multipath ok in situations where that exists. 2) acl exceptions, if source matches the acl, allow the packet 3) not-so-pure RPF, if there is _any_ forwarding path back to the source via _any_ interface, then accept. for single-homed customers, simple uRPF for multihomed customers, acl exceptions based upon their registered IRR-policy, since the customer should already be registering in the IRR you have a list of all networks reachable via the customer, regardless of the actual real-time announcements or policy applications (prepending, localpref tweaks, etc) for peers that are clued-in, again acl exceptions based upon the peers registered policy for non-clued peers, accept based upon any available forwarding path [hopefully, by the 100th time you beat on the peer about spoofed crud coming from them, they'll get religion and register, since you'll have less overall spoofing to track down, you can devote it to slapping them around more] you should also in/egress filter known bogons at all borders, like src/dst in rfc1918 src/dst in class e src in class d (not dest, however) etc
Current thread:
- Re: Effective ways to deal with DDoS attacks?, (continued)
- Re: Effective ways to deal with DDoS attacks? E.B. Dreger (May 02)
- Re: Effective ways to deal with DDoS attacks? Rubens Kuhl Jr. (May 03)
- RE: Effective ways to deal with DDoS attacks? LeBlanc, Jason (May 02)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 02)
- RE: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 02)
- Re: Effective ways to deal with DDoS attacks? Mark Turpin (May 02)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 02)
- Re: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 02)
- RE: Effective ways to deal with DDoS attacks? Barry Raveendran Greene (May 03)
- Re: Effective ways to deal with DDoS attacks? Eric Gauthier (May 02)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 03)
- Re: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 03)
- /31 mask address Toan Do (May 03)
- Re: /31 mask address Simon Lockhart (May 03)
- Re: /31 mask address Andre Chapuis (May 03)
- Re: /31 mask address Simon Lockhart (May 03)
- Re: /31 mask address Robert E. Seastrom (May 03)
- Re: /31 mask address Manolo Hernandez (May 03)
- Re: /31 mask address Andre Chapuis (May 03)
- Re: /31 mask address JAKO Andras (May 06)
- Re: /31 mask address Simon Lockhart (May 06)