We (at least cisco, anyways) already have a knob for this:
[no] ip verify unicast reverse-path
We call it Unicast RPF.
And its well documented... NOT
and available on all routers/interfaces... NOT
If it was documented and available on things like PRIs then it would
be a lot easier to deploy. Also some of the bugs that turn off CEF
need to be addressed (or at least also cause "ip verify unicast
reverse-path" to be turned off too).
Mark.
- Re: Internet SYN Flooding, spoofing attacks Perry E. Metzger
- Re: Internet SYN Flooding, spoofing attacks John Stracke
- Re: Internet SYN Flooding, spoofing attacks Paul Ferguson
- Re: Internet SYN Flooding, spoofing attacks Vijay Gill
- Re: Internet SYN Flooding, spoofing attac... Paul Ferguson
- Re: Internet SYN Flooding, spoofing a... Vijay Gill
- Re: Internet SYN Flooding, spoof... Paul Ferguson
- Re: Internet SYN Flooding, s... Mark Prior
- Re: Internet SYN Flooding, spoofing a... Valdis . Kletnieks
- Re: Internet SYN Flooding, spoof... Paul Ferguson
- Re: Internet SYN Flooding, spoofing a... Mark Prior
- Re: Internet SYN Flooding, spoofing attacks Michael H. Warfield
- Re: Internet SYN Flooding, spoofing attacks Steven M. Bellovin
- Re: Internet SYN Flooding, spoofing attacks Anders Feder
- Re: Internet SYN Flooding, spoofing attacks Phil Karn
- Re: Internet SYN Flooding, spoofing attacks Daniel Senie
- Re: Internet SYN Flooding, spoofing attac... John Hawkinson
- Re: Internet SYN Flooding, spoofing a... Phil Karn
- Re: Internet SYN Flooding, spoof... Robert Elz
- Re: Internet SYN Flooding, spoof... RJ Atkinson
- Re: Internet SYN Flooding, spoofing attac... Phil Karn
