nanog mailing list archives
Re: Permitting spoofed traffic [Was: Re: ddos attack blog]
From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 14 Feb 2014 21:18:17 -0500
On 2/14/2014 9:07 PM, Paul Ferguson wrote:
Indeed -- I'm not in the business of bit-shipping these days, so I can't endorse or advocate any particular method of blocking spoofed IP packets in your gear.
If you're dead-end, a basic ACL that permits ONLY your prefixes on egress, and blocks your prefixes on ingress, is perhaps the safest bet. Strict uRPF has it's complications, and loose uRPF is almost too forgiving. If you're providing transit, it gets much more complicated much more quickly, but the same principles apply (they just get to be a less-than-100% solution) :)
I can, however, say with confidence that it is still a good idea. Great idea, even. :-)
Oh yeah :) Jeff
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- ddos attack blog Cb B (Feb 13)
- Re: ddos attack blog Jared Mauch (Feb 13)
- Re: ddos attack blog Paul Ferguson (Feb 13)
- Re: ddos attack blog John (Feb 13)
- Re: ddos attack blog Jared Mauch (Feb 13)
- Re: ddos attack blog Mark Tinka (Feb 14)
- Re: ddos attack blog Wayne E Bouchard (Feb 14)
- Permitting spoofed traffic [Was: Re: ddos attack blog] Paul Ferguson (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Joe Provo (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Paul Ferguson (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Jeff Kell (Feb 14)
- Re: ddos attack blog Jared Mauch (Feb 13)
- Message not available
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Larry Sheldon (Feb 14)
- Re: Permitting spoofed traffic [Was: Re: ddos attack blog] Paul Ferguson (Feb 14)
- Re: ddos attack blog John (Feb 14)
- <Possible follow-ups>
- Re: ddos attack blog Hal Murray (Feb 14)
- Re: ddos attack blog joel jaeggli (Feb 14)