Home page logo

nanog logo nanog mailing list archives

Re: Network Operators and smurf
From: Havard.Eidnes () runit sintef no
Date: Sat, 25 Apr 1998 18:35:22 +0200

This should (naturally) be implemented where routing is symmetric
and where a "reverse-path check" (looking up the source address in
the routing table to find the "expected" incoming interface and
checking whether the packet did indeed enter through that interface)

The big question is, what do you do if most of your traffic
_is_ asymetrical?

Well, in that case you can't apply this method.

It may however make sense to think of reengineering the network
so that those boxes which can't do this check sits "behind" such
a RPF-checking box.

I mean, a more basic check could be, "Does the network that
this packet was sourced from exist *at all*?", or "Do I have a
route back to the source network through *any* interface?"

That would cut down on a good amount of spoofing, like the
idiots who spoof from etc.

It would prevent simple spoofing, yes, but that would not
eliminate the Smurf attacks since to mount a Smurf attack you
need to use the victim's address as your source address, and that
one *is* typically "valid" according to the criteria you mention
above (?).

- HÃ¥vard

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]