nanog mailing list archives
RE: Using Policy Routing to stop DoS attacks
From: "Christopher L. Morrow" <chris () UU NET>
Date: Wed, 14 May 2003 05:19:11 +0000 (GMT)
On Wed, 14 May 2003, Lars Higham wrote:
Well, this is also from the docs: Unicast reverse path-forwarding (uRPF) check is a tool to reduce forwarding of IP packets that may be spoofing an address. A uRPF check performs a route table lookup on an IP packet's source address, and checks the incoming interface. The router determines whether the packet is arriving from a path that the sender would use to reach the destination. If the packet is from a valid path, the router forwards the packet to the destination address. If it is not from a valid path, the router discards the packet. uRPF is supported for both Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6) protocol families. Do you have more specific questions about the implementation?
The original question was along the lines of: "On a cisco the blackholed SOURCE address will get dumped in uRPF, is that possible on the Juniper also?"
Regards, Lars -----Original Message----- From: Christopher L. Morrow [mailto:chris () UU NET] Sent: Wednesday, May 14, 2003 9:37 AM To: Lars Higham Cc: 'Stefan Mink'; 'Haesu'; jtk () aharp is-net depaul edu; nanog () merit edu Subject: RE: Using Policy Routing to stop DoS attacks On Wed, 14 May 2003, Lars Higham wrote:Sorry, I misunderstood the earlier question -From the docs:To enable unicast RPF check, include the unicast-reverse-path statement at the [edit routing-options forwarding-table] hierarchy level: [edit] routing-options { forwarding-table{ unicast-reverse-path (active-paths | feasible-paths); } }yes, the config bits are on the website.... BUT, not the details of the implementation :) So, does uRPF on a juniper work the same as the cisco?? :)Regards, Lars Higham -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Christopher L. Morrow Sent: Tuesday, May 13, 2003 2:00 AM To: Stefan Mink Cc: Haesu; jtk () aharp is-net depaul edu; nanog () merit edu Subject: Re: Using Policy Routing to stop DoS attacks On Mon, 12 May 2003, Stefan Mink wrote:On Tue, Mar 25, 2003 at 04:58:59PM +0000, Christopher L. Morrow wrote:you could hold blackhole routes for these destinations in your routetable(local or bgp) So long as the destination for the source is bad(null forinstance) the traffic would get dropped. I believe the proper termsfromcisco for this are: "So long as the adjacency is invalid" ...is there a way to make this source-blackhole-routing work on J's too(does this work with discard-routes too)?I believe someone from Juniper should likely answer this question :) As I understand the setup from a Cisco perspective (and someone from Cisco can correct me if I get it wrong). uRPF works in such a way that if the source address's destination has an invalid FIB entry (or no entry, or Null0) the packets are dropped. Perhaps Juniper implemented it this way? I have not checked anymore closely than this. Sorry. :(
Current thread:
- Re: Using Policy Routing to stop DoS attacks Stefan Mink (May 12)
- Re: Using Policy Routing to stop DoS attacks Christopher L. Morrow (May 12)
- Message not available
- Re: Using Policy Routing to stop DoS attacks Stefan Mink (May 13)
- Re: Using Policy Routing to stop DoS attacks Jeff Kell (May 13)
- Re: Using Policy Routing to stop DoS attacks Stefan Mink (May 13)
- <Possible follow-ups>
- RE: Using Policy Routing to stop DoS attacks Christopher L. Morrow (May 13)
- RE: Using Policy Routing to stop DoS attacks Christopher L. Morrow (May 13)