[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DDoS Mitigation Survey

On Mon, 7 Mar 2005, Christopher L. Morrow wrote:
Loose should provide you the ability to 'anti-spoof' a customer link,
where 'anti-spoof' would mean: "drop anything not in the global table, or
which has an adjacency which is 'discard'" (discard/null/bad/reject...
invalid) This seems nice, but the trade-off isn't something I see
worthwhile if your gear can't do this in hardware. uRPF can be very, very
dangerous on software based platforms :(

But this isn't "anti-spoof" at all, because the customer can just spoof a _routed_ address instead. Maybe it could be characterized as, "the customer sending us traffic it definitely shouldn't be sending us", triggering investigation what's going on.

But as you state, the customers typically send you private IP addresses etc. as well, so this is more of a check whether the customer has done some amount of filtering himself, nothing more.

This is what RFC3704 section 2.4 says:

   If other approaches are unsuitable, loose RPF could be used as a form
   of contract verification: the other network is presumably certifying
   that it has provided appropriate ingress filtering rules, so the
   network doing the filtering need only verify the fact and react if
   any packets which would show a breach in the contract are detected.
   Of course, this mechanism would only show if the source addresses
   used are "martian" or other unrouted addresses -- not if they are
   from someone else's address space.

.. but this has nothing to do with real anti-spoofing..

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings