Date: Sat, 22 Jan 2000 11:59:43 +0100 From: sthaug@nethelp.no To: yankee@az.com Cc: gdonl@tsc.tdk.com, security@FreeBSD.ORG Subject: Re: attack arbitration server Message-ID: <58522.948538783@verdi.nethelp.no> In-Reply-To: Your message of "Sat, 22 Jan 2000 01:42:57 -0800 (PST)" References: <Pine.BSF.3.91.1000122012833.7170G-100000@gate.az.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> At some point in the chain of routers during a reverse route trace back, > the key router that was originally spoofed would figure out where the > packet REALLY came from and realize it was different than the originally > documented source address in its history/route table. Sort of like, Hey - > I don't have a destination to you and I'm getting complaints about you This exists in Cisco IOS 12.0, and also 11.1CC. It's a per-interface setting called "ip verify unicast reverse-path", and will indeed check the source address against the routing tables. A couple of caveats: - Not really all that usable for core routers, since it doesn't work reliably for asymmetric routing paths. You need to do this at the edge routers. It's still much better than having to make an access list per interface, though. - Requires you to run CEF. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58522.948538783>