Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: rp_filter? (was Re: DDOS Attack Mitigation)
From: cdp () PEAKPEAK COM (Chuck Phillips)
Date: Sun, 20 Feb 2000 13:44:12 -0700


Linux already has such an option; just go

        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $f
        done

and the routing logic will drop packets with forged source addrs.
It's not on by default. Yet.

Julien Nadeau writes:
I must be missing something but isn't rp_filter ineffective?
I have it turned on all my local machines, including the router;
i was able to forge packets with any source/destination address
and it routes like a charm.

You may need to dig a little deeper into the documentation.  From the linux
2.2.14 kernel sources, .../Documentation/networking/ip-sysctl.txt:

----------------8<----------------8<----------------8<----------------
rp_filter - INTEGER
        2 - do source validation by reversed path, as specified in RFC1812
            Recommended option for single homed hosts and stub network
            routers. Could cause troubles for complicated (not loop free)
            networks running a slow unreliable protocol (sort of RIP),
            or using static routes.

        1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
            that look as sourced at a directly connected interface, but
            were input from another interface.

        0 - No source validation.

        NOTE: do not disable this option! All BSD derived routing software
        (sort of gated, routed etc. etc.) is confused by such packets,
        even if they are valid. When enabled it also prevents ip spoofing
        in some limited fashion.

        NOTE: this option is turned on per default only when ip_forwarding
        is on. For non-forwarding hosts it doesn't make much sense and
        makes some legal multihoming configurations impossible.
----------------8<----------------8<----------------8<----------------

A lot of other information that would be interesting to the Linux folks on
this list can be found in that file.

        Hope this helps,
                Chuck


  By Date           By Thread  

Current thread:
  • Re: rp_filter? (was Re: DDOS Attack Mitigation) Chuck Phillips (Feb 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]