mailing list archives
Re: DDOS Attack Mitigation
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 16 Feb 2000 12:50:27 +1100
In some mail from Hugh LaMaster, sie said:
The simplest ingress filtering to stop IP address
spoofing on a Cisco is simply to apply the following
to stub network interfaces:
ip verify unicast reverse-path
I assume that this is mostly what people are talking about
in this context.
How recent is this in terms of IOS releases ?
Well, it was/is in 11.1(17)CC and later CC images, which
goes back about 2 or 2-1/2 years or so, and, it has been
in all 12.0(x)S. I'm not sure about all other 12.0 images,
since we have used 11.1(x)CC and 12.0(x)S images since I've been
here - but, the web pages imply that it is in most/all 12.0 images;
the -CC and -S trains are the so-called ISP versions,
which transit ISPs use, and, which many campuses and Tier 2-4
providers should probably also use on their borders and aggregation
Hmm,from a 1720:
21:07:33: %SYS-5-CONFIG_I: Configured from console by console
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-Y-M), Version 12.0(3)T3, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Thu 15-Apr-99 13:58 by kpma
Image text-base: 0x80008088, data-base: 0x804FC75C
ROM: System Bootstrap, Version 12.0(1)XA1, RELEASE SOFTWARE (fc1)
gw(config)#ip verify unicast reverse-path
% Invalid input detected at '^' marker.