In message <37CE556A.3B97A29E@insnet.net>, Leigh Porter writes:
"Gert Doering, Netmaster" wrote:
Hi,
On Thu, Sep 02, 1999 at 10:44:39AM +0100, Leigh Porter wrote:
As a side note, does anybody use anything to prevent address spoofing in their network? That would at prevent a lot of attacks completly and make tracing the rest much easier.
Sure we do.
On our ingress interfaces to our customers, we have very strict access lists ("permit ip <customer net> any / deny ip any any log").
How do you manage large BGP customers with lots of networks? I would also be interested to know performance hits on the routers for this.
You filter at your ingress points. If you have a leased-line customer you make sure they can't send from anything but the addresses they have from ripe. Dial up likewise.
I do recall soemthing Cisco implemented that checked you have a route back to any source address that comes in on a suitably configured interface else it'll drop the packet as being spoofed, this soulds good - anybody tried it?
Hey, that sounds neat, more info ? -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far!