On Sat, 04 Sep 1999 21:32:50 +0200 Havard.Eidnes@runit.sintef.no wrote: 11.1CC28 has new bug-fix [*] for dropping bad packet fragments also. We haven't tested it but it could be useful for some attacks we've seen in the past. * Some may call this a feature- but its definetly a bug fix. Regards, Neil.
I do recall soemthing Cisco implemented that checked you have a route back to any source address that comes in on a suitably configured interface else it'll drop the packet as being spoofed, this soulds good - anybody tried it?
Hey, that sounds neat, more info?
It is an IOS 12.0 feature. It requires that you run CEF (most if not all platforms can do that in 12.0). The interface command is
ip verify unicast reverse-path
For each packet it checks that it has a route back to the source IP address pointing out the interface where the packet entered, and drops the packet if it doesn't.
For rather obvious reasons this feature cannot be used where you have asymmetric traffic patterns. This commonly occurs in backbone networks with "hot-potato" routing between providers which peer in multiple places. But then again, this checking should be done on the edges of the network, where asymmetry should be much less of a problem.
With early revisions of 12.0 there were issues with helper-address handling -- bootp requests from 0.0.0.0 would be dropped on the floor instead of being forwarded (ugh!). I think that is now fixed, though.
And, yes, we are using the feature.
- Hevard
-- Neil J. McRae C O L T I N T E R N E T neil@COLT.NET