Firewall Wizards mailing list archives

Re: DDOS Countermeasures RFC

From: TC Wolsey <tc () thebiz net>
Date: Fri, 2 Feb 2001 09:33:42 -0500 (EST)



On Wed, 31 Jan 2001, Ryan Russell wrote:

On Wed, 31 Jan 2001, Eric Vyncke wrote:

As a Cisco employee, I would be afraid of changing the default behavior
of a router. This would generate thousands of calls to our support center
of people complaining: 'this was working before but after upgrade
it does not work anymore' (for people having a non 'leaf-subnet')... ;-)


I realize there would be a period of pain.  I'm of the opinion that Cisco
just has to suck it up and take one for the team.


As you probably know, this command is already existing under a more
esoteric form:
   ip verify unicast reverse-path


Being on by default is the key, by my thinking.

                                      Ryan


ip verify unicast reverse is actually more useful than what Ryan is
suggesting which is to something like ip verify connected reverse. (Which
come to think of it would not be a bad option to have) I do have to agree
with Eric though that Cisco can not be expected to take unilateral action
to implement this by default. If the router requirements RFC was updated
to make this a strong SHOULD than router manufacturers could at least
claim that they were complying with the standards to the best of their
ability. There is one middle-ground path that I can think of - since we
are talking about Internet connected routers, make ip verify unicast
reverse the default in the S (Service Provider) train of IOS code. If you
are running S train IOS and you do not understand the implications of ip
verify unicast reverse than you either need new support staff or you
should be in another business. 

BTW ip verify unicast reverse is only really useful for keeping an origin
from sourcing spoofed packets, it will still allow spoofed packets in from
Martian networks unless you route those to null also.

Regards,
--tcw


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- <Possible follow-ups>
- Re: DDOS Countermeasures RFC Gary Flynn (Jan 31)
  - Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- RE: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
  - Re: DDOS Countermeasures RFC TC Wolsey (Feb 03)
- Re: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC daN. (Jan 31)
- RE: DDOS Countermeasures RFC Ryan Russell (Jan 31)