nanog mailing list archives
Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]
From: Vincent Bernat <bernat () luffy cx>
Date: Mon, 26 Sep 2016 09:34:34 +0200
❦ 26 septembre 2016 09:14 CEST, Valdis.Kletnieks () vt edu :
Linux: From /etc/sysctl.conf: # Uncomment the next two lines to enable Spoof protection (reverse-path=20 # filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1
Only "all" is needed since the kernel will use the max of all and the current interface value.
Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a thing on Linux.See net/ipv6/netfilter/ip6t_rpfilter.c Also, note that a lot of net.ipv4.conf variables also apply to ipv6 (though checking the source tree, this isn't one of them, unless it's via a macro that some quick grepping didn't find...)
Yes, it doesn't apply. In Linux, there is no such thing as feature parity for IPv6. davem said in the past that he didn't want this feature in IPv6 and was planning to remove it in IPv4 (but I think this will never happen): http://www.spinics.net/lists/netdev/msg166280.html I am using this instead (assuming ip46tables is iptables + ip6tables): ip46tables -t raw -N RPFILTER ip46tables -t raw -A RPFILTER -m rpfilter -j RETURN iptables -t raw -A RPFILTER -d 255.255.255.255 -p udp --sport bootpc --dport bootps -j RETURN ip6tables -t raw -A RPFILTER -m rpfilter --accept-local -m addrtype --dst-type MULTICAST -j DROP ip46tables -t raw -A RPFILTER -m limit --limit 5/s --limit-burst 5 \ -j NFLOG --nflog-group 99 \ --nflog-prefix "NF: rpfilter: " ip46tables -t raw -A RPFILTER -j DROP ip46tables -t raw -A PREROUTING -j RPFILTER -- Use data arrays to avoid repetitive control sequences. - The Elements of Programming Style (Kernighan & Plauger)
Current thread:
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey, (continued)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Brett Watson (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Justin Paine via NANOG (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jared Mauch (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay Farrell via NANOG (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay R. Ashworth (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay Farrell via NANOG (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay R. Ashworth (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Stephen Satchell (Sep 25)
- BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ] Hugo Slabbert (Sep 25)
- Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ] Valdis . Kletnieks (Sep 26)
- Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ] Vincent Bernat (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mark Milhollan (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Royce Williams (Sep 26)
- Message not available
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John Kristoff (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Ca By (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike Hammett (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Jay R. Ashworth (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Ca By (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mike Hammett (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John Levine (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Ca By (Sep 25)